Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
renamed because original name is a hash value
Original sample name:_1.1.4.exe
Analysis ID:1580542
MD5:704d909b74fde4f05ceba394fc91416b
SHA1:e78859d87194b3968f1492e18f93424ccd946d63
SHA256:a7e3fad1d01f1888aa10d040699857288d4c6b4dc0e77eb5381e34c5c9e8e4e9
Tags:exeSilverFoxValleyRATwinosuser-Fadouse
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" MD5: 704D909B74FDE4F05CEBA394FC91416B)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp (PID: 7288 cmdline: "C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" MD5: 833E148BCEB71E3D12C96B53539F24E1)
      • powershell.exe (PID: 7308 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7764 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe (PID: 7384 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT MD5: 704D909B74FDE4F05CEBA394FC91416B)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp (PID: 7440 cmdline: "C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$2044C,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT MD5: 833E148BCEB71E3D12C96B53539F24E1)
          • 7zr.exe (PID: 7580 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7688 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7556 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7572 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7952 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8148 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4548 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3592 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5856 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7328 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7376 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7636 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7664 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6540 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7756 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7716 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7436 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7332 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7316 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8032 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8100 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8140 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8184 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1516 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4456 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2108 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6924 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7588 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5676 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7736 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7816 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ParentProcessId: 7288, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7308, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7556, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7572, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ParentProcessId: 7288, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7308, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7556, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7572, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ParentProcessId: 7288, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7308, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 20%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeVirustotal: Detection: 8%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.7% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1723588424.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1723400272.0000000003900000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C58E090 FindFirstFileA,FindClose,FindClose,5_2_6C58E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D76868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,8_2_00D76868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D77496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,8_2_00D77496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1679063671.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1671019964.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1670470870.0000000003050000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1672485947.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000000.1684477586.0000000000B6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1671019964.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1670470870.0000000003050000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1672485947.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000000.1684477586.0000000000B6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C598810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6C598810
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C413886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C413886
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C599450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C599450
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C413C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C413C62
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C413D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C413D62
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C413D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C413D18
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C4139CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C4139CF
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C413A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C413A6A
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C411950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C411950
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C414754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C414754
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C4147545_2_6C414754
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C778D125_2_6C778D12
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6E4F0A5_2_6C6E4F0A
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C76B06F5_2_6C76B06F
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5948605_2_6C594860
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C7038815_2_6C703881
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C59A1335_2_6C59A133
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6A7A465_2_6C6A7A46
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C71CB305_2_6C71CB30
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5F9CE05_2_6C5F9CE0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C646D505_2_6C646D50
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5E5EC95_2_6C5E5EC9
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C64CE805_2_6C64CE80
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5CBEA15_2_6C5CBEA1
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6418105_2_6C641810
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5CB9725_2_6C5CB972
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C65D9305_2_6C65D930
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C64C9F05_2_6C64C9F0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C642A505_2_6C642A50
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C640AD05_2_6C640AD0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C644AA05_2_6C644AA0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C657AA05_2_6C657AA0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5E3B665_2_6C5E3B66
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5D3BCA5_2_6C5D3BCA
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5E840A5_2_6C5E840A
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6525C05_2_6C6525C0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6455805_2_6C645580
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C64C6E05_2_6C64C6E0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C66C7005_2_6C66C700
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5CF7CF5_2_6C5CF7CF
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6430205_2_6C643020
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C6567505_2_6C656750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DB81EC8_2_00DB81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D8E00A8_2_00D8E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF81C08_2_00DF81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF22E08_2_00DF22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E082408_2_00E08240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0C3C08_2_00E0C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E123008_2_00E12300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E004C88_2_00E004C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DDE49F8_2_00DDE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF25F08_2_00DF25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DE66D08_2_00DE66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DEA6A08_2_00DEA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DE86508_2_00DE8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0E9908_2_00E0E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DEC9508_2_00DEC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DC09438_2_00DC0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF2A808_2_00DF2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DCAB118_2_00DCAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF6CE08_2_00DF6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DE8C208_2_00DE8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E04EA08_2_00E04EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E00E008_2_00E00E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DFD0898_2_00DFD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DD10AC8_2_00DD10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DED1D08_2_00DED1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E091C08_2_00E091C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF51808_2_00DF5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DEB1808_2_00DEB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E011208_2_00E01120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DDB1218_2_00DDB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0D2C08_2_00E0D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E072008_2_00E07200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D753CF8_2_00D753CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0F3C08_2_00E0F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DD53F38_2_00DD53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D9B3E48_2_00D9B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DFF3A08_2_00DFF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E054D08_2_00E054D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DBD4968_2_00DBD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0D4708_2_00E0D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DE74108_2_00DE7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DFF4208_2_00DFF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0F5998_2_00E0F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D715728_2_00D71572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E015508_2_00E01550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E035308_2_00E03530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DEF5008_2_00DEF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E1351A8_2_00E1351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DFD6A08_2_00DFD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DC96528_2_00DC9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E136018_2_00E13601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D797CA8_2_00D797CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E077C08_2_00E077C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D897668_2_00D89766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D9F8E08_2_00D9F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0D9E08_2_00E0D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DEF9108_2_00DEF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D8BAC98_2_00D8BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF7AF08_2_00DF7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DC3AEF8_2_00DC3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D71AA18_2_00D71AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D8BC928_2_00D8BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF7C508_2_00DF7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DEFDF08_2_00DEFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF5E808_2_00DF5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF5F808_2_00DF5F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\tProtect.dll 15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00D71E40 appears 83 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00D728E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00E0FB10 appears 720 times
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: String function: 6C669F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: String function: 6C5CC240 appears 31 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1670470870.000000000316E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1671019964.000000007EF3A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000000.1669018347.0000000000399000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@150/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C599450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6C599450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D79313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,8_2_00D79313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D83D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,8_2_00D83D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D79252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,8_2_00D79252
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C598930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,5_2_6C598930
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-T8217.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6924:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4884:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3340:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeVirustotal: Detection: 8%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$2044C,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$2044C,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic file information: File size 7237925 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1723588424.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1723400272.0000000003900000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,8_2_00DF57D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x34384b
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x34384b
Source: update.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: real checksum: 0x0 should be: 0x6ea786
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .00cfg
Source: update.vbc.5.drStatic PE information: section name: .voltbl
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C59BDDB push ecx; ret 5_2_6C59BDEE
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C440F00 push ss; retn 0001h5_2_6C440F0A
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C669F10 push eax; ret 5_2_6C669F2E
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5CE9F4 push 004AC35Ch; ret 5_2_6C5CEA0E
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C66A290 push eax; ret 5_2_6C66A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D745F4 push 00E1C35Ch; ret 8_2_00D7460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0FB10 push eax; ret 8_2_00E0FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E0FE90 push eax; ret 8_2_00E0FEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6562Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3132Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow / User API: threadDelayed 597Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow / User API: threadDelayed 621Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow / User API: threadDelayed 550Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -10145709240540247s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C58E090 FindFirstFileA,FindClose,FindClose,5_2_6C58E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D76868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,8_2_00D76868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D77496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,8_2_00D77496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D79C60 GetSystemInfo,8_2_00D79C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000002.1698554743.0000000000CDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000002.1698554743.0000000000CDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C413886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C413886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5A3871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C5A3871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00DF57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,8_2_00DF57D0
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5AD456 mov eax, dword ptr fs:[00000030h]5_2_6C5AD456
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5AD425 mov eax, dword ptr fs:[00000030h]5_2_6C5AD425
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5A286D mov eax, dword ptr fs:[00000030h]5_2_6C5A286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C5A3871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6C5A3871
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C59C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6C59C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 5_2_6C66A720 cpuid 5_2_6C66A720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00D7AB2A GetSystemTimeAsFileTime,8_2_00D7AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 8_2_00E10090 GetVersion,8_2_00E10090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580542 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 3 other signatures 2->96 10 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 32 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 28 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 27 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp 4 15 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe8%VirustotalBrowse
#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe5%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc21%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1671019964.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1670470870.0000000003050000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1672485947.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000000.1684477586.0000000000B6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1671019964.000000007EC3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1670470870.0000000003050000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1672485947.00000000003A1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000005.00000000.1684477586.0000000000B6D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.4.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580542
        Start date and time:2024-12-25 03:32:06 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 37s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:112
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.4.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@150/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 106
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe
        • Excluded IPs from analysis (whitelisted): 52.149.20.212
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        21:32:57API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp modified
        21:33:00API Interceptor23x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\tProtect.dll#U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                                #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                                  #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                                    #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                                      #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                                        #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                                          #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                                            #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                                              #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\Program Files (x86)\Windows NT\7zr.exe

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):831200
                                                Entropy (8bit):6.671005303304742
                                                Encrypted:false
                                                SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                                MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                                SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                                SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                                SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                                C:\Program Files (x86)\Windows NT\file.dat (copy)

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1922592
                                                Entropy (8bit):7.999905915279869
                                                Encrypted:true
                                                SSDEEP:49152:orHW6CwzpxNH6btQf7ikPICTKJ6VYFQ08xten:oa6DlwKIiqS09n
                                                MD5:8CE0A5AEBCE8B28B7AFFE857C765A0DE
                                                SHA1:2B86C493D7B193E11C1A01658442BBBDE2F50261
                                                SHA-256:29A7E30E2DD018E06E1CD64787C5375B62C515B4B716C99D716030242E4499C8
                                                SHA-512:9870EF6582F0C1E5803CB87E1C3A3B5579A5F5000CC8C64E40043C21F42D8200B99EE32158DB76620559C8E524FAE9B14AB448F6BFD93069FA0333B674D6489D
                                                Malicious:false
                                                Preview:.@S........<...............l.2...A.P....}..Zz<87Fq.....x......Z=.r...g...s.....0...~7}...x.0....).F....vw.Mo1.H...3N}.n...^.G.7.t.|c.@^...M....y<v{tn.=........C.w..;f......i<.......D..=]2Gg.e.P...|m..sO.[..2X.....0.D.<..5o.w..._.j..d.B...........P.g..!iu>tM...r..i..P4E.9qQ...3..=.....L&.G.Z.U*.......B#.].t....[.......t...nIS..;.....{.N9... |..Jr:...l.....Mv..4"A+.0..j.H.0...m'j.[Oy..'J......y.."...Znk$d@H~..........t.Nme.V..{P...aq.'@l.A..3,..ty<.B..Y.............A.Kc.....W[.#.....Fl.O.....6q...n..XC....Kw.aB.t..>...Ng..q.n..h{./p...........Y+...E.....u.4..F..su..sP.d..Y*..O?$..{m..)z<h.},A.>..j0.*B....>.L\f.19.d*k....l..x..++.G.m....v.A...'~uJ..W..!.]%.@.^@.:\J|......6.....2....L.-.....Z..BZ...e..1....I..e.....<P.v...^.e...37.O.,.....TkX.$... ((.[..5..)..V..+^.V.B[.c....I..9.[..ug.T...e.f.k....{hn..5...>....a@k|i?S.)8?:.U-.....s$....!...o.k..P....r.D..I_?.....R...N8tG..........AS......~....,...e....-c.(4.$..=.....~.=9..G^B._..hX<.

                                                C:\Program Files (x86)\Windows NT\hrsw.vbc

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3621376
                                                Entropy (8bit):7.006090025798393
                                                Encrypted:false
                                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 26%
                                                • Antivirus: Virustotal, Detection: 21%, Browse
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                C:\Program Files (x86)\Windows NT\is-T8217.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1922592
                                                Entropy (8bit):7.999905915279869
                                                Encrypted:true
                                                SSDEEP:49152:orHW6CwzpxNH6btQf7ikPICTKJ6VYFQ08xten:oa6DlwKIiqS09n
                                                MD5:8CE0A5AEBCE8B28B7AFFE857C765A0DE
                                                SHA1:2B86C493D7B193E11C1A01658442BBBDE2F50261
                                                SHA-256:29A7E30E2DD018E06E1CD64787C5375B62C515B4B716C99D716030242E4499C8
                                                SHA-512:9870EF6582F0C1E5803CB87E1C3A3B5579A5F5000CC8C64E40043C21F42D8200B99EE32158DB76620559C8E524FAE9B14AB448F6BFD93069FA0333B674D6489D
                                                Malicious:false
                                                Preview:.@S........<...............l.2...A.P....}..Zz<87Fq.....x......Z=.r...g...s.....0...~7}...x.0....).F....vw.Mo1.H...3N}.n...^.G.7.t.|c.@^...M....y<v{tn.=........C.w..;f......i<.......D..=]2Gg.e.P...|m..sO.[..2X.....0.D.<..5o.w..._.j..d.B...........P.g..!iu>tM...r..i..P4E.9qQ...3..=.....L&.G.Z.U*.......B#.].t....[.......t...nIS..;.....{.N9... |..Jr:...l.....Mv..4"A+.0..j.H.0...m'j.[Oy..'J......y.."...Znk$d@H~..........t.Nme.V..{P...aq.'@l.A..3,..ty<.B..Y.............A.Kc.....W[.#.....Fl.O.....6q...n..XC....Kw.aB.t..>...Ng..q.n..h{./p...........Y+...E.....u.4..F..su..sP.d..Y*..O?$..{m..)z<h.},A.>..j0.*B....>.L\f.19.d*k....l..x..++.G.m....v.A...'~uJ..W..!.]%.@.^@.:\J|......6.....2....L.-.....Z..BZ...e..1....I..e.....<P.v...^.e...37.O.,.....TkX.$... ((.[..5..)..V..+^.V.B[.c....I..9.[..ug.T...e.f.k....{hn..5...>....a@k|i?S.)8?:.U-.....s$....!...o.k..P....r.D..I_?.....R...N8tG..........AS......~....,...e....-c.(4.$..=.....~.=9..G^B._..hX<.

                                                C:\Program Files (x86)\Windows NT\locale.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.99693799156576
                                                Encrypted:true
                                                SSDEEP:768:jp8Uun5ODLwTs3N2Ziut+FUo4rToRydro6ahFubgvbarPtoE3DFJ3NjEdQmO64Rn:jp+noU6+fgRyGv6bwSPtoC9AdpkBSmVj
                                                MD5:5E5B62F2674EFB7699D6E5680CBD498B
                                                SHA1:4076C3374476B23CA83211C11E5125C963BD6DBC
                                                SHA-256:C984B28BCD1D2FC0A5A40A5533BA2D685697C72208134A3A1A3772EB034CD5D5
                                                SHA-512:9264CAC9EC3BCA68B9CB6960B055CC89282BF9EFA8BB032BA6AC5941690ABC63B80E0436325DDED4803F1E0FD2E246F7465F0085A6A945E95FADE9170824AB46
                                                Malicious:false
                                                Preview:.@S.....*.5l ................O.7..`a.we..&W..A.ZN...w...(.....@..4....~.....bE|.f.-.?.v7M..a(."g4I.d\.......W..W.OT.9.........$.e..0ijM:e..H-...w.K.CGd..Zm[...S..>...]...X.3.[...f..S..-g.vU9||I..U.Z|..Q.%3k.k7v(...._.z.5....m....Xn$>Y.Wh.z...[.O........[.C.....|9._.R.o..%.w-......p....a<v......)Sa.{$.mf._l..7W.\...*}.)....3....M......[.c<.m..x.:IK........I..r.\}.%~.V......(.V...|I.E.j+x9..u....6...3N.~...8..U.g..j.z...;..X.#...^.MHQ...y.LF...{....?.q...q...D_.a83.K.`._o.QIT1.#.1.....s7e..~...sz.{.P...{.../........2(.+.......b..D.9.[....0...>n.ML!.8.Z~........u...v..[..x......../6.x$...:.r.$.........>..#............tKF\. .O..'[V.U....U.18.I#^.vRO.2...`..Nu.34@X..&.Z..D.g.....%.d...U.....@3.._9z.*>dU.....31...|;{.u.q....p.cAh..Fu_....3*.?K&[Na...9~F....tL...>8.!DG..3/..2j...s.E.".....{|...b.:f..._9.i.n......b.W......h.V.m.R..o.3o5..../.......kD...S.i;.%O.w%..,rL.c.B.......n.....3.9.?..B.|9.4{.....3...!:u.`...5..by!..M..GL.......

                                                C:\Program Files (x86)\Windows NT\locale.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996937991565762
                                                Encrypted:true
                                                SSDEEP:1536:rpxCASR3U5V8s7XMYaoLCbuSUhxWVC8TH:dc3U5VLfLCbuSYxWVC+H
                                                MD5:96191728F46632D577121843D546310C
                                                SHA1:2A7EE9EDDCDAF195E2ED8D9C8A43DE7AC675A231
                                                SHA-256:A077F09EB4DAEAB2982BD031083F51544D809B84ABDB1C97D78DE3DC76410032
                                                SHA-512:70EC48BE8804BEDCD2F9221D51E08430CDD84A59662229AB08EF6A45EC328F618D25E883269ABD6E49A9A31AA990918501CE50E9C351766FB4DD6FF7B6508089
                                                Malicious:false
                                                Preview:7z..'...i..........2.......0...DD..n...^."$w.D..bM.W...UX.D..e..e}.d..o{SB...N.5....lB.._.H..X..a...v.Y,.*o*.,6....eo~(IK3.kG.T.......c....Z.W......3...7.H.9...>..n9...D..B]...#.Fz."6.a........Z..rk.\...[R...R.?..).#.//..{Y.....'....[m-.....@.....*R.5...x......^..x4.b...,|s)i.%.LZ.n....8.Y&<....q.....s....Rd....-..(..B..+...+.v.e..\.$h......n..r.|P.|..V..r...\.%-.7l.1...]....s...p..>....Np..3I.b8'_.k .4.X..4.Q..T.........X.l..n9Sm.+.t....UJy..]*...m...b.]..........k...:.'y)Ay..-.k.a^r...."..$4.he'..U!T.&.>p...m..`.1_v.,F.P../.{...Q4..!......k.B...L.p..Z.6..En...H.9.Pn.U.KQxi..p..MnT....L.{(..s.;.Mr...1.]O.)N.1ns.....&.......i...*X.K..,..b...(...".d~..A....=.C.WG..`.y.......1_.(PDl.X...P..-...:6./!..~.....w.9r...@&.9...U....#..M7.......|....7S.U m..;=].....o.......q...0W.`1......9Q%....y.)......?J.....d..w:).H$...K..r.C.au....\IA..<.iSr]...k^..q..P........E.F.w]h?.Om....!+..........O....e.JfR.Pm....a~^..)...n...L...+jd.%..e

                                                C:\Program Files (x86)\Windows NT\locale2.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996966859255975
                                                Encrypted:true
                                                SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                                MD5:CEA69F993E1CE0FB945A98BF37A66546
                                                SHA1:7114365265F041DA904574D1F5876544506F89BA
                                                SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                                SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                                Malicious:false
                                                Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                                C:\Program Files (x86)\Windows NT\locale2.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):56546
                                                Entropy (8bit):7.996966859255979
                                                Encrypted:true
                                                SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                                MD5:4CB8B7E557C80FC7B014133AB834A042
                                                SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                                SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                                SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                                Malicious:false
                                                Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                                C:\Program Files (x86)\Windows NT\locale3.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):31890
                                                Entropy (8bit):7.99402458740637
                                                Encrypted:true
                                                SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                                MD5:8622FC7228777F64A47BD6C61478ADD9
                                                SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                                SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                                SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                                Malicious:false
                                                Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                                C:\Program Files (x86)\Windows NT\locale3.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):31890
                                                Entropy (8bit):7.99402458740637
                                                Encrypted:true
                                                SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                                MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                                SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                                SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                                SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                                Malicious:false
                                                Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                                C:\Program Files (x86)\Windows NT\locale4.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):74960
                                                Entropy (8bit):7.99759370165655
                                                Encrypted:true
                                                SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                                MD5:950338D50B95A25F494EE74E97B7B7A9
                                                SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                                SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                                SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                                Malicious:false
                                                Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                                C:\Program Files (x86)\Windows NT\locale4.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):74960
                                                Entropy (8bit):7.997593701656546
                                                Encrypted:true
                                                SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                                MD5:059BA7C31F3E227356CA5F29E4AA2508
                                                SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                                SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                                SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                                Malicious:false
                                                Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                                C:\Program Files (x86)\Windows NT\locale7.bin

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):29730
                                                Entropy (8bit):7.994290657653607
                                                Encrypted:true
                                                SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                                MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                                SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                                SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                                SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                                Malicious:false
                                                Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                                C:\Program Files (x86)\Windows NT\locale7.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):29730
                                                Entropy (8bit):7.994290657653608
                                                Encrypted:true
                                                SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                                MD5:A9C8A3E00692F79E1BA9693003F85D18
                                                SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                                SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                                SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                                Malicious:false
                                                Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                                C:\Program Files (x86)\Windows NT\res.dat

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:7-zip archive data, version 0.4
                                                Category:dropped
                                                Size (bytes):1922592
                                                Entropy (8bit):7.99990591527987
                                                Encrypted:true
                                                SSDEEP:49152:5Mo17OIO8i/NM7F39GTSBWKeQifmq9EV19:io17O8i/+7B9ScF1q9019
                                                MD5:CB8B923780CA9DCAB3C2D8A9A6C79544
                                                SHA1:4E0A293B329E8A4A2898782065A2DA4882DC22D9
                                                SHA-256:666C2E43D2841673A0CC05B94DDE575C4398BEA21805A5DDDF2A2777A3517CCF
                                                SHA-512:A1C1DB233E8C3724DE52429C43D8A33E5BB9878D0170F2965DAA4AC2825755BF4AB170B3A6340A8E98867C46001D4861A3F055F219F4E081D9C92C0431458C51
                                                Malicious:false
                                                Preview:7z..'...}PQ&.U......@..........`{s...(H(..)QM......7 ..T.L.9M.dk..u..r.J{..U.= ...Oe..$np.Y.:.q..L..oYj....T..L......>Q...4_.3..t..f..._....V@......X.MGl.=v....E..S5..a..i[..vjV.......?....;]s...].......E.e=....<........A..(.V!.j.5S.y.}.f..^g..|.AZ.....gU........W..i.'.3...cJU.....U.e..P'&7.g...V.C.j....T.NB.{@.Q1...k...pd..6.A..=...."w.W....Va.L...GS.t-..+......q^.............{..&@3.-..n..Ggg.......&yp.6S..2...w...l.I&...vn..L...[.l........[..mcX..R.J*.<..7.....?N..E...=....>....*.V..vH0... %.4.....p.g.x.}.....o..`.U..=3-..kJg.H..)4...p;3>.z.p9}.v...k"....1..6:...>..b......7H.o.....FhsR.......y..S{VX...a.$&y..`.L...1C6.~..iN.....)s&...._........ck.k^>.m.nH&. C.iY.....c.Y...66.....RY....7.....B:.@....O<....n<..f..._:..8W.......&....Xw..&....3D......2E..+.y$H"".?..b.c...~...-D.4...Q.....g..r...)=Jg......T....;@..BhW:...(1E...N{q...c.&t+E.&.:..5`...X.;"..U8...4*..........'(i...T..X|..s7...:.<......<*g.IrM{^.8.."..r.#|....@

                                                C:\Program Files (x86)\Windows NT\tProtect.dll

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):63640
                                                Entropy (8bit):6.482810107683822
                                                Encrypted:false
                                                SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                                MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                                SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                                SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                                SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 9%
                                                • Antivirus: Virustotal, Detection: 6%, Browse
                                                Joe Sandbox View:
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                                C:\Program Files (x86)\Windows NT\task.xml

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:ASCII text
                                                Category:dropped
                                                Size (bytes):4096
                                                Entropy (8bit):3.3443983145211007
                                                Encrypted:false
                                                SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                                                MD5:1E67E91688292692932CD9096EDEA2BD
                                                SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                                                SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                                                SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                                                Malicious:false
                                                Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                                                C:\Program Files (x86)\Windows NT\trash

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):1672472
                                                Entropy (8bit):7.999884409585901
                                                Encrypted:true
                                                SSDEEP:24576:t+DyQWCAIHJxhRLxs1IF2D2PWbUuSLAQCxOBNlnua+1iPcxgE+63xOUuCtuR:oZWdi1s1IF8BUnLCYBNlV+1xkmOU4
                                                MD5:C3FFBA57909DE6ACDC3EA1EE393C9961
                                                SHA1:B0FBA32B27E62CADD088C05645355DD5F11E323A
                                                SHA-256:80EBA8624265A018E2C61497F32A20E6F5F13E37361E6214523096B9E47D2034
                                                SHA-512:E3A4512C0B16B14682472C45DA2102142C26DE228BBFFFD9B5F22F41048CA4CE2830CBF575A00934A961CBF1ED76E6DD1129480F41920D13DC6B914BF45BA57E
                                                Malicious:false
                                                Preview:2..L..P...}..<..nvC...6...~.F...:.. /!ktJ.c.R.7...H.h.&Q..Xz.}.....Y..[.i.(.#....ta....g...$...q.\..S..fP....t........4..E.(.......{..V...4.7.(.. w4\+..<1..7.<..|y?..F..&....i...=c.#.+.)&...A...81j.9..j`.{R..\m..D3.....w..x.'Wu.!.*.W.1.x7....:sDu.....T7.n.......M.n.t.-.s.O>..y\..L.{x.>...........;3.)..G...R..#.G..{.}z-..|...C.w..c.4.....T}....E.. .={C!...Y...G..bnpV.......8j ...."..&...o...Q.bw.Ca.u&z..%..%.H!.3j]P..+*..m*.x.8e..NP.lc0.o....(... .-G... .Ct..\..8../.%.Y.Wq.....-%f.......y.!C..m}6E...R....P.....a.1*.q..o...t..~v.....7..Z.:.[.:%$....{..k.O..&5.8.{..|....TQ..{.._)..7......<@J.P.......!..v.[..i...S..kHo.i....Et...r...>Uw....7......L.G!.U..vP..C..r...od.o.-...s-..KVU..vx..k..D....3.9m..:1...H"S...}.GZ..V.+c..IU.)....N=~..4..^YJ.......a?SA..V.x.U..e.z.t.h.G.......g.;./..q=~.}.PZ...O....dz......./..#z.e=2b<....Z..'.hr.hz.......U7,../'....*7P..d.FD.j......Im#.O.Hbz.uN.j...Sd.(>.z....b..y.....0.8..T...4K_=9.v'..Kj.Pq4....+@.5bl

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):64
                                                Entropy (8bit):1.1940658735648508
                                                Encrypted:false
                                                SSDEEP:3:Nlllul/nq/llh:NllUyt
                                                MD5:AB80AD9A08E5B16132325DF5584B2CBE
                                                SHA1:F7411B7A5826EE6B139EBF40A7BEE999320EF923
                                                SHA-256:5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
                                                SHA-512:9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
                                                Malicious:false
                                                Preview:@...e................................................@..........

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehq20uvr.olv.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hjc2e3pe.j1v.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kc1twlhe.iya.psm1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_plobd2la.dbu.ps1

                                                Download File
                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\_isetup\_setup64.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.720366600008286
                                                Encrypted:false
                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-0QCIO.tmp\update.vbc

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3621376
                                                Entropy (8bit):7.006090025798393
                                                Encrypted:false
                                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 26%
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3366912
                                                Entropy (8bit):6.5305591301859165
                                                Encrypted:false
                                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                MD5:833E148BCEB71E3D12C96B53539F24E1
                                                SHA1:C7DCDF06DC1045595F9F914C822E04ECBA7ADB6F
                                                SHA-256:FE66E967480D9E0A1D307B21F310D6AF3C00789F680CE8E21ABD2AEE8F1C565A
                                                SHA-512:F6E9E5C7B63E301AE5F8CE22F61247581DA00C0119615014740EAB272CDBC75B1BBC995F9A6905C8A087679AB8DBBDF47560C78F3FEE8873B1390791A66D9BA2
                                                Malicious:true
                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\_isetup\_setup64.tmp

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                Category:dropped
                                                Size (bytes):6144
                                                Entropy (8bit):4.720366600008286
                                                Encrypted:false
                                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-FH5K1.tmp\update.vbc

                                                Download File
                                                Process:C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3621376
                                                Entropy (8bit):7.006090025798393
                                                Encrypted:false
                                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 26%
                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3366912
                                                Entropy (8bit):6.5305591301859165
                                                Encrypted:false
                                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                                MD5:833E148BCEB71E3D12C96B53539F24E1
                                                SHA1:C7DCDF06DC1045595F9F914C822E04ECBA7ADB6F
                                                SHA-256:FE66E967480D9E0A1D307B21F310D6AF3C00789F680CE8E21ABD2AEE8F1C565A
                                                SHA-512:F6E9E5C7B63E301AE5F8CE22F61247581DA00C0119615014740EAB272CDBC75B1BBC995F9A6905C8A087679AB8DBBDF47560C78F3FEE8873B1390791A66D9BA2
                                                Malicious:true
                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                                \Device\ConDrv

                                                Download File
                                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                                File Type:ASCII text, with CRLF, CR line terminators
                                                Category:dropped
                                                Size (bytes):406
                                                Entropy (8bit):5.117520345541057
                                                Encrypted:false
                                                SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                                MD5:9200058492BCA8F9D88B4877F842C148
                                                SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                                SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                                SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                                Malicious:false
                                                Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.946143883607197
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                                • Inno Setup installer (109748/4) 1.08%
                                                • InstallShield setup (43055/19) 0.42%
                                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                                                File size:7'237'925 bytes
                                                MD5:704d909b74fde4f05ceba394fc91416b
                                                SHA1:e78859d87194b3968f1492e18f93424ccd946d63
                                                SHA256:a7e3fad1d01f1888aa10d040699857288d4c6b4dc0e77eb5381e34c5c9e8e4e9
                                                SHA512:4791bee70217a33962f563ea424ce586ec2140bb26b0c77572a2f9876695948a3f77512246994673f954d5cfdae7085c483775567175bae01136a5c31f46dabc
                                                SSDEEP:98304:XwRE4sdlQNRIvth0lw8pUEkCYNlN6BMy66dmEdlvCOcIoodMwZgq:lPvP0lw8polKMy66nLvCOcIdV
                                                TLSH:0C761222F2C7D53EE06D0B3B09B2A15454FBAA656423AE1796ECB4ECCF350501D3E687
                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                File Icon

                                                Icon Hash:0c0c2d33ceec80aa

                                                Static PE Info

                                                General

                                                Entrypoint:0x4a83bc
                                                Entrypoint Section:.itext
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:1
                                                File Version Major:6
                                                File Version Minor:1
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:1
                                                Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                Entrypoint Preview

                                                Instruction
                                                push ebp
                                                mov ebp, esp
                                                add esp, FFFFFFA4h
                                                push ebx
                                                push esi
                                                push edi
                                                xor eax, eax
                                                mov dword ptr [ebp-3Ch], eax
                                                mov dword ptr [ebp-40h], eax
                                                mov dword ptr [ebp-5Ch], eax
                                                mov dword ptr [ebp-30h], eax
                                                mov dword ptr [ebp-38h], eax
                                                mov dword ptr [ebp-34h], eax
                                                mov dword ptr [ebp-2Ch], eax
                                                mov dword ptr [ebp-28h], eax
                                                mov dword ptr [ebp-14h], eax
                                                mov eax, 004A2EBCh
                                                call 00007F52D4FAADB5h
                                                xor eax, eax
                                                push ebp
                                                push 004A8AC1h
                                                push dword ptr fs:[eax]
                                                mov dword ptr fs:[eax], esp
                                                xor edx, edx
                                                push ebp
                                                push 004A8A7Bh
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                mov eax, dword ptr [004B0634h]
                                                call 00007F52D503C73Bh
                                                call 00007F52D503C28Eh
                                                lea edx, dword ptr [ebp-14h]
                                                xor eax, eax
                                                call 00007F52D5036F68h
                                                mov edx, dword ptr [ebp-14h]
                                                mov eax, 004B41F4h
                                                call 00007F52D4FA4E63h
                                                push 00000002h
                                                push 00000000h
                                                push 00000001h
                                                mov ecx, dword ptr [004B41F4h]
                                                mov dl, 01h
                                                mov eax, dword ptr [0049CD14h]
                                                call 00007F52D5038293h
                                                mov dword ptr [004B41F8h], eax
                                                xor edx, edx
                                                push ebp
                                                push 004A8A27h
                                                push dword ptr fs:[edx]
                                                mov dword ptr fs:[edx], esp
                                                call 00007F52D503C7C3h
                                                mov dword ptr [004B4200h], eax
                                                mov eax, dword ptr [004B4200h]
                                                cmp dword ptr [eax+0Ch], 01h
                                                jne 00007F52D50434AAh
                                                mov eax, dword ptr [004B4200h]
                                                mov edx, 00000028h
                                                call 00007F52D5038B88h
                                                mov edx, dword ptr [004B4200h]

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                .rsrc0xcb0000x110000x11000338edf3ba219bca78cc4fc4306bc77d8False0.18772977941176472data3.7220745010189797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                                RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                                RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                                RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                                RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                                RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                                RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                                RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                                RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                                RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                                RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                                RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                                RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                                RT_STRING0xd8e000x3f8data0.3198818897637795
                                                RT_STRING0xd91f80x2dcdata0.36475409836065575
                                                RT_STRING0xd94d40x430data0.40578358208955223
                                                RT_STRING0xd99040x44cdata0.38636363636363635
                                                RT_STRING0xd9d500x2d4data0.39226519337016574
                                                RT_STRING0xda0240xb8data0.6467391304347826
                                                RT_STRING0xda0dc0x9cdata0.6410256410256411
                                                RT_STRING0xda1780x374data0.4230769230769231
                                                RT_STRING0xda4ec0x398data0.3358695652173913
                                                RT_STRING0xda8840x368data0.3795871559633027
                                                RT_STRING0xdabec0x2a4data0.4275147928994083
                                                RT_RCDATA0xdae900x10data1.5
                                                RT_RCDATA0xdaea00x310data0.6173469387755102
                                                RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                                                RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                                RT_VERSION0xdb2980x584dataEnglishUnited States0.2754957507082153
                                                RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                Imports

                                                DLLImport
                                                kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                comctl32.dllInitCommonControls
                                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                Exports

                                                NameOrdinalAddress
                                                __dbk_fcall_wrapper20x40fc10
                                                dbkFCallWrapperAddr10x4b063c

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                No network behavior found

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:21:32:56
                                                Start date:24/12/2024
                                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
                                                Imagebase:0x2e0000
                                                File size:7'237'925 bytes
                                                MD5 hash:704D909B74FDE4F05CEBA394FC91416B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:1
                                                Start time:21:32:57
                                                Start date:24/12/2024
                                                Path:C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-C2TR1.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20448,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
                                                Imagebase:0x3a0000
                                                File size:3'366'912 bytes
                                                MD5 hash:833E148BCEB71E3D12C96B53539F24E1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:2
                                                Start time:21:32:57
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):false
                                                Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                Imagebase:0x7ff788560000
                                                File size:452'608 bytes
                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:21:32:57
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:21:32:57
                                                Start date:24/12/2024
                                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
                                                Imagebase:0x2e0000
                                                File size:7'237'925 bytes
                                                MD5 hash:704D909B74FDE4F05CEBA394FC91416B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:5
                                                Start time:21:32:58
                                                Start date:24/12/2024
                                                Path:C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-SDIGA.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$2044C,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
                                                Imagebase:0x8f0000
                                                File size:3'366'912 bytes
                                                MD5 hash:833E148BCEB71E3D12C96B53539F24E1
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:Borland Delphi
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:21:33:00
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:21:33:00
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:21:33:00
                                                Start date:24/12/2024
                                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                Wow64 process (32bit):true
                                                Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                                Imagebase:0x800000
                                                File size:831'200 bytes
                                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 0%, ReversingLabs
                                                • Detection: 0%, Virustotal, Browse
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:9
                                                Start time:21:33:00
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:21:33:00
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                                Wow64 process (32bit):true
                                                Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                                Imagebase:0xd70000
                                                File size:831'200 bytes
                                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff693ab0000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:14
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:23
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:24
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:26
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:27
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:28
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:29
                                                Start time:21:33:02
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:30
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:31
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:32
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:33
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:34
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:35
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:36
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:37
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:38
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:39
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:40
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:41
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:42
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:43
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:44
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:45
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:46
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:47
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:48
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:49
                                                Start time:21:33:03
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:50
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:51
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:52
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:53
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:54
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:55
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:56
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:57
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:58
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:59
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:60
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:61
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:62
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:63
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:64
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:65
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:66
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:67
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:68
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:69
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:70
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:71
                                                Start time:21:33:04
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:72
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:73
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:74
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:75
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:76
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:77
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:78
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:79
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:80
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:81
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:82
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:83
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:84
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:85
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:86
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:87
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:88
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:89
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:90
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:91
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:92
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:93
                                                Start time:21:33:05
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:94
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:95
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:96
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:97
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:98
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:99
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:100
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:101
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:102
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:103
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:104
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:105
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:106
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:107
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:108
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\sc.exe
                                                Wow64 process (32bit):false
                                                Commandline:sc start CleverSoar
                                                Imagebase:0x7ff7b6af0000
                                                File size:72'192 bytes
                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:109
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:110
                                                Start time:21:33:06
                                                Start date:24/12/2024
                                                Path:C:\Windows\System32\cmd.exe
                                                Wow64 process (32bit):false
                                                Commandline:cmd /c start sc start CleverSoar
                                                Imagebase:0x7ff717830000
                                                File size:289'792 bytes
                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:1.9%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:5.2%
                                                  Total number of Nodes:727
                                                  Total number of Limit Nodes:8
                                                  execution_graph 63519 6c42f150 63521 6c42efbe 63519->63521 63520 6c42f243 CreateFileA 63523 6c42f2a7 63520->63523 63521->63520 63522 6c4302ca 63523->63522 63524 6c4302ac GetCurrentProcess TerminateProcess 63523->63524 63524->63522 63525 6c414b53 63683 6c59a133 63525->63683 63527 6c414b5c _Yarn 63697 6c58e090 63527->63697 63529 6c43639e 63790 6c5a3820 18 API calls 2 library calls 63529->63790 63531 6c415164 CreateFileA CloseHandle 63537 6c4151ec 63531->63537 63532 6c414cff 63533 6c414bae std::ios_base::_Ios_base_dtor 63533->63529 63533->63531 63533->63532 63534 6c42245a _Yarn _strlen 63533->63534 63534->63529 63536 6c58e090 2 API calls 63534->63536 63552 6c422a83 std::ios_base::_Ios_base_dtor 63536->63552 63703 6c598810 OpenSCManagerA 63537->63703 63539 6c41fc00 63782 6c598930 CreateToolhelp32Snapshot 63539->63782 63542 6c59a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63578 6c415478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63542->63578 63544 6c4237d0 Sleep 63589 6c4237e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63544->63589 63545 6c58e090 2 API calls 63545->63578 63546 6c4363b2 63791 6c4115e0 18 API calls std::ios_base::_Ios_base_dtor 63546->63791 63547 6c598930 4 API calls 63565 6c42053a 63547->63565 63548 6c598930 4 API calls 63570 6c4212e2 63548->63570 63550 6c41ffe3 63550->63547 63557 6c420abc 63550->63557 63551 6c4364f8 63552->63529 63707 6c580880 63552->63707 63553 6c436ba0 104 API calls 63553->63578 63554 6c436e60 32 API calls 63554->63578 63556 6c598930 4 API calls 63556->63557 63557->63534 63557->63548 63559 6c598930 4 API calls 63580 6c421dd9 63559->63580 63560 6c42211c 63560->63534 63561 6c42241a 63560->63561 63564 6c580880 10 API calls 63561->63564 63562 6c58e090 2 API calls 63562->63589 63567 6c42244d 63564->63567 63565->63556 63565->63557 63566 6c416722 63758 6c594860 25 API calls 4 library calls 63566->63758 63788 6c599450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63567->63788 63569 6c422452 Sleep 63569->63534 63570->63559 63570->63560 63571 6c4216ac 63570->63571 63572 6c416162 63573 6c41740b 63759 6c5986e0 CreateProcessA 63573->63759 63575 6c598930 4 API calls 63575->63560 63578->63529 63578->63539 63578->63542 63578->63545 63578->63553 63578->63554 63578->63566 63578->63572 63744 6c437090 63578->63744 63757 6c45e010 67 API calls 63578->63757 63579 6c437090 77 API calls 63579->63589 63580->63560 63580->63575 63582 6c41775a _strlen 63582->63529 63583 6c417b92 63582->63583 63584 6c417ba9 63582->63584 63587 6c417b43 _Yarn 63582->63587 63585 6c59a133 std::_Facet_Register 4 API calls 63583->63585 63586 6c59a133 std::_Facet_Register 4 API calls 63584->63586 63585->63587 63586->63587 63588 6c58e090 2 API calls 63587->63588 63598 6c417be7 std::ios_base::_Ios_base_dtor 63588->63598 63589->63529 63589->63562 63589->63579 63715 6c436ba0 63589->63715 63734 6c436e60 63589->63734 63789 6c45e010 67 API calls 63589->63789 63590 6c5986e0 4 API calls 63601 6c418a07 63590->63601 63591 6c419d68 63594 6c59a133 std::_Facet_Register 4 API calls 63591->63594 63592 6c419d7f 63595 6c59a133 std::_Facet_Register 4 API calls 63592->63595 63593 6c41962c _strlen 63593->63529 63593->63591 63593->63592 63596 6c419d18 _Yarn 63593->63596 63594->63596 63595->63596 63597 6c58e090 2 API calls 63596->63597 63605 6c419dbd std::ios_base::_Ios_base_dtor 63597->63605 63598->63529 63598->63590 63598->63593 63599 6c418387 63598->63599 63600 6c5986e0 4 API calls 63609 6c419120 63600->63609 63601->63600 63602 6c5986e0 4 API calls 63619 6c41a215 _strlen 63602->63619 63603 6c5986e0 4 API calls 63604 6c419624 63603->63604 63763 6c599450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63604->63763 63605->63529 63605->63602 63612 6c41e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63605->63612 63606 6c59a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63606->63612 63608 6c58e090 2 API calls 63608->63612 63609->63603 63610 6c41f7b1 63781 6c599450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63610->63781 63611 6c41ed02 Sleep 63631 6c41e8c1 63611->63631 63612->63529 63612->63606 63612->63608 63612->63610 63612->63611 63614 6c41e8dd GetCurrentProcess TerminateProcess 63614->63612 63615 6c41a9a4 63617 6c59a133 std::_Facet_Register 4 API calls 63615->63617 63616 6c41a9bb 63618 6c59a133 std::_Facet_Register 4 API calls 63616->63618 63626 6c41a953 _Yarn _strlen 63617->63626 63618->63626 63619->63529 63619->63615 63619->63616 63619->63626 63620 6c5986e0 4 API calls 63620->63631 63621 6c41fbb8 63623 6c41fbe8 ExitWindowsEx Sleep 63621->63623 63622 6c41f7c0 63622->63621 63623->63539 63624 6c41aff0 63627 6c59a133 std::_Facet_Register 4 API calls 63624->63627 63625 6c41b009 63628 6c59a133 std::_Facet_Register 4 API calls 63625->63628 63626->63546 63626->63624 63626->63625 63629 6c41afa0 _Yarn 63626->63629 63627->63629 63628->63629 63764 6c599050 63629->63764 63631->63612 63631->63614 63631->63620 63632 6c41b059 std::ios_base::_Ios_base_dtor _strlen 63632->63529 63633 6c41b443 63632->63633 63634 6c41b42c 63632->63634 63637 6c41b3da _Yarn _strlen 63632->63637 63636 6c59a133 std::_Facet_Register 4 API calls 63633->63636 63635 6c59a133 std::_Facet_Register 4 API calls 63634->63635 63635->63637 63636->63637 63637->63546 63638 6c41b7b7 63637->63638 63639 6c41b79e 63637->63639 63642 6c41b751 _Yarn 63637->63642 63641 6c59a133 std::_Facet_Register 4 API calls 63638->63641 63640 6c59a133 std::_Facet_Register 4 API calls 63639->63640 63640->63642 63641->63642 63643 6c599050 104 API calls 63642->63643 63644 6c41b804 std::ios_base::_Ios_base_dtor _strlen 63643->63644 63644->63529 63645 6c41bc26 63644->63645 63646 6c41bc0f 63644->63646 63649 6c41bbbd _Yarn _strlen 63644->63649 63648 6c59a133 std::_Facet_Register 4 API calls 63645->63648 63647 6c59a133 std::_Facet_Register 4 API calls 63646->63647 63647->63649 63648->63649 63649->63546 63650 6c41c075 63649->63650 63651 6c41c08e 63649->63651 63654 6c41c028 _Yarn 63649->63654 63652 6c59a133 std::_Facet_Register 4 API calls 63650->63652 63653 6c59a133 std::_Facet_Register 4 API calls 63651->63653 63652->63654 63653->63654 63655 6c599050 104 API calls 63654->63655 63660 6c41c0db std::ios_base::_Ios_base_dtor _strlen 63655->63660 63656 6c41c7a5 63658 6c59a133 std::_Facet_Register 4 API calls 63656->63658 63657 6c41c7bc 63659 6c59a133 std::_Facet_Register 4 API calls 63657->63659 63667 6c41c753 _Yarn _strlen 63658->63667 63659->63667 63660->63529 63660->63656 63660->63657 63660->63667 63661 6c41d406 63664 6c59a133 std::_Facet_Register 4 API calls 63661->63664 63662 6c41d3ed 63663 6c59a133 std::_Facet_Register 4 API calls 63662->63663 63665 6c41d39a _Yarn 63663->63665 63664->63665 63666 6c599050 104 API calls 63665->63666 63668 6c41d458 std::ios_base::_Ios_base_dtor _strlen 63666->63668 63667->63546 63667->63661 63667->63662 63667->63665 63673 6c41cb2f 63667->63673 63668->63529 63669 6c41d8a4 63668->63669 63670 6c41d8bb 63668->63670 63674 6c41d852 _Yarn _strlen 63668->63674 63671 6c59a133 std::_Facet_Register 4 API calls 63669->63671 63672 6c59a133 std::_Facet_Register 4 API calls 63670->63672 63671->63674 63672->63674 63674->63546 63675 6c41dcb6 63674->63675 63676 6c41dccf 63674->63676 63679 6c41dc69 _Yarn 63674->63679 63677 6c59a133 std::_Facet_Register 4 API calls 63675->63677 63678 6c59a133 std::_Facet_Register 4 API calls 63676->63678 63677->63679 63678->63679 63680 6c599050 104 API calls 63679->63680 63682 6c41dd1c std::ios_base::_Ios_base_dtor 63680->63682 63681 6c5986e0 4 API calls 63681->63612 63682->63529 63682->63681 63684 6c59a138 63683->63684 63685 6c59a152 63684->63685 63687 6c59a154 std::_Facet_Register 63684->63687 63792 6c5a2704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63684->63792 63685->63527 63688 6c59afb3 std::_Facet_Register 63687->63688 63793 6c59ca69 RaiseException 63687->63793 63796 6c59ca69 RaiseException 63688->63796 63690 6c59b7ac IsProcessorFeaturePresent 63694 6c59b7d1 63690->63694 63692 6c59af73 63794 6c59ca69 RaiseException 63692->63794 63694->63527 63695 6c59af93 std::invalid_argument::invalid_argument 63795 6c59ca69 RaiseException 63695->63795 63698 6c58e0a4 63697->63698 63699 6c58e0a6 FindFirstFileA 63697->63699 63698->63699 63700 6c58e0e0 63699->63700 63701 6c58e13c 63700->63701 63702 6c58e0e2 FindClose 63700->63702 63701->63533 63702->63700 63704 6c598846 63703->63704 63705 6c5988be OpenServiceA 63704->63705 63706 6c598922 63704->63706 63705->63704 63706->63578 63712 6c580893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63707->63712 63708 6c584e71 CloseHandle 63708->63712 63709 6c583bd1 CloseHandle 63709->63712 63710 6c4237cb 63714 6c599450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63710->63714 63711 6c56cea0 WriteFile ReadFile WriteFile WriteFile 63711->63712 63712->63708 63712->63709 63712->63710 63712->63711 63797 6c56c390 63712->63797 63714->63544 63716 6c436bd5 63715->63716 63808 6c462020 63716->63808 63718 6c436c68 63719 6c59a133 std::_Facet_Register 4 API calls 63718->63719 63720 6c436ca0 63719->63720 63825 6c59aa17 63720->63825 63722 6c436cb4 63837 6c461d90 63722->63837 63725 6c436d8e 63725->63589 63727 6c436dc8 63845 6c4626e0 24 API calls 4 library calls 63727->63845 63729 6c436dda 63846 6c59ca69 RaiseException 63729->63846 63731 6c436def 63847 6c45e010 67 API calls 63731->63847 63733 6c436e0f 63733->63589 63735 6c436e9f 63734->63735 63738 6c436eb3 63735->63738 64242 6c463560 32 API calls std::_Xinvalid_argument 63735->64242 63740 6c436f5b 63738->63740 64244 6c462250 30 API calls 63738->64244 64245 6c4626e0 24 API calls 4 library calls 63738->64245 64246 6c59ca69 RaiseException 63738->64246 63741 6c436f6e 63740->63741 64243 6c4637e0 32 API calls std::_Xinvalid_argument 63740->64243 63741->63589 63745 6c43709e 63744->63745 63748 6c4370d1 63744->63748 64247 6c4601f0 63745->64247 63746 6c437183 63746->63578 63748->63746 64251 6c462250 30 API calls 63748->64251 63751 6c5a4208 67 API calls 63751->63748 63752 6c4371ae 64252 6c462340 24 API calls 63752->64252 63754 6c4371be 64253 6c59ca69 RaiseException 63754->64253 63756 6c4371c9 63757->63578 63758->63573 63760 6c598770 63759->63760 63761 6c5987b0 WaitForSingleObject CloseHandle CloseHandle 63760->63761 63762 6c5987a4 63760->63762 63761->63760 63762->63582 63763->63593 63765 6c5990a7 63764->63765 64299 6c5996e0 63765->64299 63767 6c5990b8 63768 6c436ba0 104 API calls 63767->63768 63774 6c5990dc 63768->63774 63769 6c599157 64351 6c45e010 67 API calls 63769->64351 63771 6c59918f std::ios_base::_Ios_base_dtor 64352 6c45e010 67 API calls 63771->64352 63774->63769 63775 6c599144 63774->63775 64318 6c599a30 63774->64318 64326 6c473010 63774->64326 64336 6c599280 63775->64336 63777 6c5991d2 std::ios_base::_Ios_base_dtor 63777->63632 63779 6c59914c 63780 6c437090 77 API calls 63779->63780 63780->63769 63781->63622 63785 6c598966 std::locale::_Setgloballocale 63782->63785 63783 6c598a64 Process32NextW 63783->63785 63784 6c598a14 CloseHandle 63784->63785 63785->63783 63785->63784 63786 6c598a45 Process32FirstW 63785->63786 63787 6c598a96 63785->63787 63786->63785 63787->63550 63788->63569 63789->63589 63791->63551 63792->63684 63793->63692 63794->63695 63795->63688 63796->63690 63798 6c56c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63797->63798 63799 6c56ce3c 63798->63799 63800 6c56cab9 CreateFileA 63798->63800 63802 6c56b4d0 63798->63802 63799->63712 63800->63798 63803 6c56b4e3 __wsopen_s std::locale::_Setgloballocale 63802->63803 63804 6c56c206 WriteFile 63803->63804 63805 6c56b619 WriteFile 63803->63805 63806 6c56c377 63803->63806 63807 6c56bc23 ReadFile 63803->63807 63804->63803 63805->63803 63806->63798 63807->63803 63809 6c59a133 std::_Facet_Register 4 API calls 63808->63809 63810 6c46207e 63809->63810 63811 6c59aa17 43 API calls 63810->63811 63812 6c462092 63811->63812 63848 6c462f60 42 API calls 4 library calls 63812->63848 63814 6c46210d 63817 6c462120 63814->63817 63849 6c59a67e 9 API calls 2 library calls 63814->63849 63815 6c4620c8 63815->63814 63816 6c462136 63815->63816 63850 6c462250 30 API calls 63816->63850 63817->63718 63820 6c46215b 63851 6c462340 24 API calls 63820->63851 63822 6c462171 63852 6c59ca69 RaiseException 63822->63852 63824 6c46217c 63824->63718 63826 6c59aa23 __EH_prolog3 63825->63826 63853 6c59a5a5 63826->63853 63831 6c59aa41 63867 6c59aaaa 39 API calls std::locale::_Setgloballocale 63831->63867 63832 6c59aa5f 63859 6c59a5d6 63832->63859 63833 6c59aa9c 63833->63722 63835 6c59aa49 63868 6c59a8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 63835->63868 63838 6c436d5d 63837->63838 63839 6c461ddc 63837->63839 63838->63725 63844 6c462250 30 API calls 63838->63844 63873 6c59ab37 63839->63873 63843 6c461e82 63844->63727 63845->63729 63846->63731 63847->63733 63848->63815 63849->63817 63850->63820 63851->63822 63852->63824 63854 6c59a5bb 63853->63854 63855 6c59a5b4 63853->63855 63857 6c59a5b9 63854->63857 63870 6c59bc7b EnterCriticalSection 63854->63870 63869 6c5a3abd 6 API calls std::_Lockit::_Lockit 63855->63869 63857->63832 63866 6c59a920 6 API calls 2 library calls 63857->63866 63860 6c5a3acb 63859->63860 63861 6c59a5e0 63859->63861 63872 6c5a3aa6 LeaveCriticalSection 63860->63872 63863 6c59a5f3 63861->63863 63871 6c59bc89 LeaveCriticalSection 63861->63871 63863->63833 63864 6c5a3ad2 63864->63833 63866->63831 63867->63835 63868->63832 63869->63857 63870->63857 63871->63863 63872->63864 63874 6c59ab40 63873->63874 63875 6c461dea 63874->63875 63882 6c5a343a 63874->63882 63875->63838 63881 6c59fc53 18 API calls __wsopen_s 63875->63881 63877 6c59ab8c 63877->63875 63893 6c5a3148 65 API calls 63877->63893 63879 6c59aba7 63879->63875 63894 6c5a4208 63879->63894 63881->63843 63884 6c5a3445 __wsopen_s 63882->63884 63883 6c5a3458 63919 6c5a3810 18 API calls __wsopen_s 63883->63919 63884->63883 63885 6c5a3478 63884->63885 63892 6c5a3468 63885->63892 63905 6c5ae4fc 63885->63905 63892->63877 63893->63879 63895 6c5a4214 __wsopen_s 63894->63895 63896 6c5a4233 63895->63896 63898 6c5a421e 63895->63898 63903 6c5a422e 63896->63903 64100 6c59fc99 EnterCriticalSection 63896->64100 64115 6c5a3810 18 API calls __wsopen_s 63898->64115 63899 6c5a4250 64101 6c5a428c 63899->64101 63902 6c5a425b 64116 6c5a4282 LeaveCriticalSection 63902->64116 63903->63875 63906 6c5ae508 __wsopen_s 63905->63906 63921 6c5a3a8f EnterCriticalSection 63906->63921 63908 6c5ae516 63922 6c5ae5a0 63908->63922 63913 6c5ae662 63914 6c5ae781 63913->63914 63946 6c5ae804 63914->63946 63917 6c5a34bc 63920 6c5a34e5 LeaveCriticalSection 63917->63920 63919->63892 63920->63892 63921->63908 63930 6c5ae5c3 63922->63930 63923 6c5ae523 63936 6c5ae55c 63923->63936 63924 6c5ae61b 63941 6c5aa8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63924->63941 63926 6c5ae624 63942 6c5a7eab HeapFree GetLastError __dosmaperr 63926->63942 63929 6c5ae62d 63929->63923 63943 6c5aa30f 6 API calls std::_Lockit::_Lockit 63929->63943 63930->63923 63930->63924 63930->63930 63939 6c59fc99 EnterCriticalSection 63930->63939 63940 6c59fcad LeaveCriticalSection 63930->63940 63932 6c5ae64c 63944 6c59fc99 EnterCriticalSection 63932->63944 63935 6c5ae65f 63935->63923 63945 6c5a3aa6 LeaveCriticalSection 63936->63945 63938 6c5a3493 63938->63892 63938->63913 63939->63930 63940->63930 63941->63926 63942->63929 63943->63932 63944->63935 63945->63938 63947 6c5ae823 63946->63947 63948 6c5ae836 63947->63948 63952 6c5ae84b 63947->63952 63962 6c5a3810 18 API calls __wsopen_s 63948->63962 63950 6c5ae797 63950->63917 63959 6c5b76ce 63950->63959 63955 6c5ae96b 63952->63955 63963 6c5b7598 37 API calls __wsopen_s 63952->63963 63954 6c5ae9bb 63954->63955 63964 6c5b7598 37 API calls __wsopen_s 63954->63964 63955->63950 63966 6c5a3810 18 API calls __wsopen_s 63955->63966 63957 6c5ae9d9 63957->63955 63965 6c5b7598 37 API calls __wsopen_s 63957->63965 63967 6c5b7a86 63959->63967 63962->63950 63963->63954 63964->63957 63965->63955 63966->63950 63969 6c5b7a92 __wsopen_s 63967->63969 63968 6c5b7a99 63985 6c5a3810 18 API calls __wsopen_s 63968->63985 63969->63968 63970 6c5b7ac4 63969->63970 63976 6c5b76ee 63970->63976 63975 6c5b76e9 63975->63917 63987 6c5a3dbb 63976->63987 63981 6c5b7724 63983 6c5b7756 63981->63983 64027 6c5a7eab HeapFree GetLastError __dosmaperr 63981->64027 63986 6c5b7b1b LeaveCriticalSection __wsopen_s 63983->63986 63985->63975 63986->63975 64028 6c59f3db 63987->64028 63991 6c5a3ddf 63992 6c59f4e6 63991->63992 64037 6c59f53e 63992->64037 63994 6c59f4fe 63994->63981 63995 6c5b775c 63994->63995 64052 6c5b7bdc 63995->64052 64001 6c5b7882 GetFileType 64004 6c5b788d GetLastError 64001->64004 64007 6c5b78d4 64001->64007 64002 6c5b778e __dosmaperr 64002->63981 64003 6c5b7857 GetLastError 64003->64002 64081 6c5a30e2 __dosmaperr 64004->64081 64005 6c5b7805 64005->64001 64005->64003 64080 6c5b7b47 CreateFileW 64005->64080 64082 6c5b4ea0 SetStdHandle __dosmaperr __wsopen_s 64007->64082 64009 6c5b789b CloseHandle 64009->64002 64012 6c5b78c4 64009->64012 64011 6c5b784a 64011->64001 64011->64003 64012->64002 64013 6c5b78f5 64014 6c5b7941 64013->64014 64083 6c5b7d56 70 API calls 2 library calls 64013->64083 64018 6c5b7948 64014->64018 64097 6c5b7e00 70 API calls 2 library calls 64014->64097 64017 6c5b7976 64017->64018 64019 6c5b7984 64017->64019 64084 6c5af015 64018->64084 64019->64002 64021 6c5b7a00 CloseHandle 64019->64021 64098 6c5b7b47 CreateFileW 64021->64098 64023 6c5b7a2b 64023->64012 64024 6c5b7a35 GetLastError 64023->64024 64025 6c5b7a41 __dosmaperr 64024->64025 64099 6c5b4e0f SetStdHandle __dosmaperr __wsopen_s 64025->64099 64027->63983 64029 6c59f3fb 64028->64029 64030 6c59f3f2 64028->64030 64029->64030 64031 6c5a80a2 __Getctype 37 API calls 64029->64031 64030->63991 64036 6c5aa0c5 5 API calls std::_Lockit::_Lockit 64030->64036 64032 6c59f41b 64031->64032 64033 6c5a8618 __Getctype 37 API calls 64032->64033 64034 6c59f431 64033->64034 64035 6c5a8645 __fassign 37 API calls 64034->64035 64035->64030 64036->63991 64038 6c59f54c 64037->64038 64039 6c59f566 64037->64039 64040 6c59f4cc __wsopen_s HeapFree GetLastError 64038->64040 64041 6c59f56d 64039->64041 64042 6c59f58c 64039->64042 64048 6c59f556 __dosmaperr 64040->64048 64044 6c59f48d __wsopen_s HeapFree GetLastError 64041->64044 64041->64048 64043 6c5a7f33 __fassign MultiByteToWideChar 64042->64043 64045 6c59f59b 64043->64045 64044->64048 64046 6c59f5a2 GetLastError 64045->64046 64047 6c59f5c8 64045->64047 64049 6c59f48d __wsopen_s HeapFree GetLastError 64045->64049 64046->64048 64047->64048 64050 6c5a7f33 __fassign MultiByteToWideChar 64047->64050 64048->63994 64049->64047 64051 6c59f5df 64050->64051 64051->64046 64051->64048 64053 6c5b7c17 64052->64053 64055 6c5b7bfd 64052->64055 64054 6c5b7b6c __wsopen_s 18 API calls 64053->64054 64056 6c5b7c4f 64054->64056 64055->64053 64057 6c5a3810 __wsopen_s 18 API calls 64055->64057 64058 6c5b7c7e 64056->64058 64062 6c5a3810 __wsopen_s 18 API calls 64056->64062 64057->64053 64059 6c5b9001 __wsopen_s 18 API calls 64058->64059 64065 6c5b7779 64058->64065 64060 6c5b7ccc 64059->64060 64061 6c5b7d49 64060->64061 64060->64065 64063 6c5a383d __Getctype 11 API calls 64061->64063 64062->64058 64064 6c5b7d55 64063->64064 64065->64002 64066 6c5b4cfc 64065->64066 64067 6c5b4d08 __wsopen_s 64066->64067 64068 6c5a3a8f std::_Lockit::_Lockit EnterCriticalSection 64067->64068 64070 6c5b4d0f 64068->64070 64069 6c5b4d56 64072 6c5b4e06 __wsopen_s LeaveCriticalSection 64069->64072 64070->64069 64071 6c5b4d34 64070->64071 64076 6c5b4da3 EnterCriticalSection 64070->64076 64073 6c5b4f32 __wsopen_s 11 API calls 64071->64073 64074 6c5b4d76 64072->64074 64075 6c5b4d39 64073->64075 64074->64002 64079 6c5b7b47 CreateFileW 64074->64079 64075->64069 64078 6c5b5080 __wsopen_s EnterCriticalSection 64075->64078 64076->64069 64077 6c5b4db0 LeaveCriticalSection 64076->64077 64077->64070 64078->64069 64079->64005 64080->64011 64081->64009 64082->64013 64083->64014 64085 6c5b4c92 __wsopen_s 18 API calls 64084->64085 64088 6c5af025 64085->64088 64086 6c5af02b 64087 6c5b4e0f __wsopen_s SetStdHandle 64086->64087 64096 6c5af083 __dosmaperr 64087->64096 64088->64086 64089 6c5af05d 64088->64089 64091 6c5b4c92 __wsopen_s 18 API calls 64088->64091 64089->64086 64090 6c5b4c92 __wsopen_s 18 API calls 64089->64090 64092 6c5af069 CloseHandle 64090->64092 64093 6c5af054 64091->64093 64092->64086 64094 6c5af075 GetLastError 64092->64094 64095 6c5b4c92 __wsopen_s 18 API calls 64093->64095 64094->64086 64095->64089 64096->64002 64097->64017 64098->64023 64099->64012 64100->63899 64102 6c5a4299 64101->64102 64103 6c5a42ae 64101->64103 64139 6c5a3810 18 API calls __wsopen_s 64102->64139 64113 6c5a42a9 64103->64113 64117 6c5a43a9 64103->64117 64110 6c5a42d1 64132 6c5aef88 64110->64132 64112 6c5a42d7 64112->64113 64140 6c5a7eab HeapFree GetLastError __dosmaperr 64112->64140 64113->63902 64115->63903 64116->63903 64118 6c5a42c3 64117->64118 64119 6c5a43c1 64117->64119 64123 6c5abe2e 64118->64123 64119->64118 64120 6c5ad350 18 API calls 64119->64120 64121 6c5a43df 64120->64121 64141 6c5af25c 64121->64141 64124 6c5a42cb 64123->64124 64125 6c5abe45 64123->64125 64127 6c5ad350 64124->64127 64125->64124 64229 6c5a7eab HeapFree GetLastError __dosmaperr 64125->64229 64128 6c5ad371 64127->64128 64129 6c5ad35c 64127->64129 64128->64110 64230 6c5a3810 18 API calls __wsopen_s 64129->64230 64131 6c5ad36c 64131->64110 64133 6c5aefae 64132->64133 64137 6c5aef99 __dosmaperr 64132->64137 64134 6c5aefd5 64133->64134 64136 6c5aeff7 __dosmaperr 64133->64136 64231 6c5af0b1 64134->64231 64239 6c5a3810 18 API calls __wsopen_s 64136->64239 64137->64112 64139->64113 64140->64113 64144 6c5af268 __wsopen_s 64141->64144 64142 6c5af270 __dosmaperr 64142->64118 64143 6c5af323 __dosmaperr 64182 6c5a3810 18 API calls __wsopen_s 64143->64182 64144->64142 64144->64143 64145 6c5af2ba 64144->64145 64152 6c5b5080 EnterCriticalSection 64145->64152 64147 6c5af2c0 64150 6c5af2dc __dosmaperr 64147->64150 64153 6c5af34e 64147->64153 64181 6c5af31b LeaveCriticalSection __wsopen_s 64150->64181 64152->64147 64154 6c5af370 64153->64154 64180 6c5af38c __dosmaperr 64153->64180 64155 6c5af3c4 64154->64155 64156 6c5af374 __dosmaperr 64154->64156 64157 6c5af3d7 64155->64157 64191 6c5ae359 20 API calls __wsopen_s 64155->64191 64190 6c5a3810 18 API calls __wsopen_s 64156->64190 64183 6c5af530 64157->64183 64162 6c5af42c 64166 6c5af440 64162->64166 64167 6c5af485 WriteFile 64162->64167 64163 6c5af3ed 64164 6c5af3f1 64163->64164 64165 6c5af416 64163->64165 64164->64180 64192 6c5af94b 6 API calls __wsopen_s 64164->64192 64193 6c5af5a1 43 API calls 5 library calls 64165->64193 64170 6c5af44b 64166->64170 64171 6c5af475 64166->64171 64169 6c5af4a9 GetLastError 64167->64169 64167->64180 64169->64180 64174 6c5af450 64170->64174 64175 6c5af465 64170->64175 64196 6c5af9b3 7 API calls 2 library calls 64171->64196 64176 6c5af455 64174->64176 64174->64180 64195 6c5afb77 8 API calls 3 library calls 64175->64195 64194 6c5afa8e 7 API calls 2 library calls 64176->64194 64178 6c5af463 64178->64180 64180->64150 64181->64142 64182->64142 64197 6c5b50d5 64183->64197 64185 6c5af541 64186 6c5af3e8 64185->64186 64202 6c5a80a2 GetLastError 64185->64202 64186->64162 64186->64163 64189 6c5af57e GetConsoleMode 64189->64186 64190->64180 64191->64157 64192->64180 64193->64180 64194->64178 64195->64178 64196->64178 64199 6c5b50e2 64197->64199 64200 6c5b50ef 64197->64200 64198 6c5b50fb 64198->64185 64199->64185 64200->64198 64201 6c5a3810 __wsopen_s 18 API calls 64200->64201 64201->64199 64203 6c5a80b9 64202->64203 64207 6c5a80bf 64202->64207 64204 6c5aa213 __Getctype 6 API calls 64203->64204 64204->64207 64205 6c5aa252 __Getctype 6 API calls 64206 6c5a80dd 64205->64206 64208 6c5a80c5 SetLastError 64206->64208 64209 6c5a80e1 64206->64209 64207->64205 64207->64208 64215 6c5a8159 64208->64215 64216 6c5a8153 64208->64216 64210 6c5aa8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64209->64210 64211 6c5a80ed 64210->64211 64213 6c5a810c 64211->64213 64214 6c5a80f5 64211->64214 64219 6c5aa252 __Getctype 6 API calls 64213->64219 64217 6c5aa252 __Getctype 6 API calls 64214->64217 64218 6c5a41b9 __Getctype 35 API calls 64215->64218 64216->64186 64216->64189 64220 6c5a8103 64217->64220 64221 6c5a815e 64218->64221 64222 6c5a8118 64219->64222 64225 6c5a7eab _free HeapFree GetLastError 64220->64225 64223 6c5a811c 64222->64223 64224 6c5a812d 64222->64224 64226 6c5aa252 __Getctype 6 API calls 64223->64226 64228 6c5a7eab _free HeapFree GetLastError 64224->64228 64227 6c5a8109 64225->64227 64226->64220 64227->64208 64228->64227 64229->64124 64230->64131 64232 6c5af0bd __wsopen_s 64231->64232 64240 6c5b5080 EnterCriticalSection 64232->64240 64234 6c5af0cb 64235 6c5af0f8 64234->64235 64236 6c5af015 __wsopen_s 21 API calls 64234->64236 64241 6c5af131 LeaveCriticalSection __wsopen_s 64235->64241 64236->64235 64238 6c5af11a 64238->64137 64239->64137 64240->64234 64241->64238 64242->63738 64243->63741 64244->63738 64245->63738 64246->63738 64248 6c46022e 64247->64248 64249 6c4370c4 64248->64249 64254 6c5a4ecb 64248->64254 64249->63751 64251->63752 64252->63754 64253->63756 64255 6c5a4ed9 64254->64255 64256 6c5a4ef6 64254->64256 64255->64256 64257 6c5a4efa 64255->64257 64258 6c5a4ee6 64255->64258 64256->64248 64262 6c5a50f2 64257->64262 64270 6c5a3810 18 API calls __wsopen_s 64258->64270 64263 6c5a50fe __wsopen_s 64262->64263 64271 6c59fc99 EnterCriticalSection 64263->64271 64265 6c5a510c 64272 6c5a50af 64265->64272 64269 6c5a4f2c 64269->64248 64270->64256 64271->64265 64280 6c5abc96 64272->64280 64278 6c5a50e9 64279 6c5a5141 LeaveCriticalSection 64278->64279 64279->64269 64281 6c5ad350 18 API calls 64280->64281 64282 6c5abca7 64281->64282 64283 6c5b50d5 __wsopen_s 18 API calls 64282->64283 64284 6c5abcad __wsopen_s 64283->64284 64286 6c5a50c3 64284->64286 64297 6c5a7eab HeapFree GetLastError __dosmaperr 64284->64297 64287 6c5a4f2e 64286->64287 64289 6c5a4f40 64287->64289 64291 6c5a4f5e 64287->64291 64288 6c5a4f4e 64298 6c5a3810 18 API calls __wsopen_s 64288->64298 64289->64288 64289->64291 64294 6c5a4f76 _Yarn 64289->64294 64296 6c5abd49 62 API calls 64291->64296 64292 6c5a43a9 62 API calls 64292->64294 64293 6c5ad350 18 API calls 64293->64294 64294->64291 64294->64292 64294->64293 64295 6c5af25c __wsopen_s 62 API calls 64294->64295 64295->64294 64296->64278 64297->64286 64298->64291 64300 6c599715 64299->64300 64301 6c462020 52 API calls 64300->64301 64302 6c5997b6 64301->64302 64303 6c59a133 std::_Facet_Register 4 API calls 64302->64303 64304 6c5997ee 64303->64304 64305 6c59aa17 43 API calls 64304->64305 64306 6c599802 64305->64306 64307 6c461d90 89 API calls 64306->64307 64308 6c5998ab 64307->64308 64309 6c5998dc 64308->64309 64353 6c462250 30 API calls 64308->64353 64309->63767 64311 6c599916 64354 6c4626e0 24 API calls 4 library calls 64311->64354 64313 6c599928 64355 6c59ca69 RaiseException 64313->64355 64315 6c59993d 64356 6c45e010 67 API calls 64315->64356 64317 6c59994f 64317->63767 64319 6c599a7d 64318->64319 64357 6c599c90 64319->64357 64323 6c599b6c 64323->63774 64325 6c599a95 64325->64323 64375 6c462250 30 API calls 64325->64375 64376 6c4626e0 24 API calls 4 library calls 64325->64376 64377 6c59ca69 RaiseException 64325->64377 64327 6c47304f 64326->64327 64331 6c473063 64327->64331 64386 6c463560 32 API calls std::_Xinvalid_argument 64327->64386 64329 6c47311e 64333 6c473131 64329->64333 64387 6c4637e0 32 API calls std::_Xinvalid_argument 64329->64387 64331->64329 64388 6c462250 30 API calls 64331->64388 64389 6c4626e0 24 API calls 4 library calls 64331->64389 64390 6c59ca69 RaiseException 64331->64390 64333->63774 64337 6c59928e 64336->64337 64340 6c5992c1 64336->64340 64339 6c4601f0 64 API calls 64337->64339 64338 6c599373 64338->63779 64341 6c5992b4 64339->64341 64340->64338 64391 6c462250 30 API calls 64340->64391 64343 6c5a4208 67 API calls 64341->64343 64343->64340 64344 6c59939e 64392 6c462340 24 API calls 64344->64392 64346 6c5993ae 64393 6c59ca69 RaiseException 64346->64393 64348 6c5993b9 64394 6c45e010 67 API calls 64348->64394 64350 6c599412 std::ios_base::_Ios_base_dtor 64350->63779 64351->63771 64352->63777 64353->64311 64354->64313 64355->64315 64356->64317 64358 6c599cf8 64357->64358 64359 6c599ccc 64357->64359 64365 6c599d09 64358->64365 64378 6c463560 32 API calls std::_Xinvalid_argument 64358->64378 64360 6c599cf1 64359->64360 64380 6c462250 30 API calls 64359->64380 64360->64325 64363 6c599ed8 64381 6c462340 24 API calls 64363->64381 64365->64360 64379 6c462f60 42 API calls 4 library calls 64365->64379 64366 6c599ee7 64382 6c59ca69 RaiseException 64366->64382 64370 6c599f17 64384 6c462340 24 API calls 64370->64384 64372 6c599f2d 64385 6c59ca69 RaiseException 64372->64385 64374 6c599d43 64374->64360 64383 6c462250 30 API calls 64374->64383 64375->64325 64376->64325 64377->64325 64378->64365 64379->64374 64380->64363 64381->64366 64382->64374 64383->64370 64384->64372 64385->64360 64386->64331 64387->64333 64388->64331 64389->64331 64390->64331 64391->64344 64392->64346 64393->64348 64394->64350 64395 6c413d62 64397 6c413bc0 64395->64397 64396 6c413e8a GetCurrentThread NtSetInformationThread 64398 6c413eea 64396->64398 64397->64396 64399 6c5a262f 64400 6c5a263b __wsopen_s 64399->64400 64401 6c5a264f 64400->64401 64402 6c5a2642 GetLastError ExitThread 64400->64402 64403 6c5a80a2 __Getctype 37 API calls 64401->64403 64404 6c5a2654 64403->64404 64411 6c5ad456 64404->64411 64407 6c5a266b 64417 6c5a259a 16 API calls 2 library calls 64407->64417 64410 6c5a268d 64412 6c5ad468 GetPEB 64411->64412 64413 6c5a265f 64411->64413 64412->64413 64414 6c5ad47b 64412->64414 64413->64407 64416 6c5aa45f 5 API calls std::_Lockit::_Lockit 64413->64416 64418 6c5aa508 5 API calls std::_Lockit::_Lockit 64414->64418 64416->64407 64417->64410 64418->64413 64419 6c5b01c3 64420 6c5b01ed 64419->64420 64421 6c5b01d5 __dosmaperr 64419->64421 64420->64421 64423 6c5b0267 64420->64423 64424 6c5b0238 __dosmaperr 64420->64424 64425 6c5b0280 64423->64425 64428 6c5b02d7 __wsopen_s 64423->64428 64429 6c5b029b __dosmaperr 64423->64429 64461 6c5a3810 18 API calls __wsopen_s 64424->64461 64427 6c5b0285 64425->64427 64425->64429 64426 6c5b50d5 __wsopen_s 18 API calls 64430 6c5b042e 64426->64430 64427->64426 64455 6c5a7eab HeapFree GetLastError __dosmaperr 64428->64455 64454 6c5a3810 18 API calls __wsopen_s 64429->64454 64433 6c5b04a4 64430->64433 64436 6c5b0447 GetConsoleMode 64430->64436 64435 6c5b04a8 ReadFile 64433->64435 64434 6c5b02f7 64456 6c5a7eab HeapFree GetLastError __dosmaperr 64434->64456 64438 6c5b051c GetLastError 64435->64438 64439 6c5b04c2 64435->64439 64436->64433 64440 6c5b0458 64436->64440 64451 6c5b02b2 __dosmaperr __wsopen_s 64438->64451 64439->64438 64442 6c5b0499 64439->64442 64440->64435 64443 6c5b045e ReadConsoleW 64440->64443 64441 6c5b02fe 64441->64451 64457 6c5ae359 20 API calls __wsopen_s 64441->64457 64447 6c5b04fe 64442->64447 64448 6c5b04e7 64442->64448 64442->64451 64443->64442 64445 6c5b047a GetLastError 64443->64445 64445->64451 64450 6c5b0515 64447->64450 64447->64451 64459 6c5b05ee 23 API calls 3 library calls 64448->64459 64460 6c5b08a6 21 API calls __wsopen_s 64450->64460 64458 6c5a7eab HeapFree GetLastError __dosmaperr 64451->64458 64453 6c5b051a 64453->64451 64454->64451 64455->64434 64456->64441 64457->64427 64458->64421 64459->64451 64460->64453 64461->64421

                                                  Executed Functions

                                                  Function 6C414754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: HR^
                                                  • API String ID: 4218353326-1341859651
                                                  • Opcode ID: d334b300d5a3e01d3ce5d6bd7ae1ffb02b5abbabfb3677297d28f982810eda9e
                                                  • Instruction ID: 572aad590c9df36b64b5601aa83d02c5c2bbd75840eb6ba15eaddf1b8d9fe9d1
                                                  • Opcode Fuzzy Hash: d334b300d5a3e01d3ce5d6bd7ae1ffb02b5abbabfb3677297d28f982810eda9e
                                                  • Instruction Fuzzy Hash: 5F74D471645B028FC728CF28C8D0EA5B7E2EF95318B198A6DC0D68BF55E774B54ACB40
                                                  Function 6C598930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4604 6c598930-6c598964 CreateToolhelp32Snapshot 4605 6c598980-6c598989 4604->4605 4606 6c59898b-6c598990 4605->4606 4607 6c5989d0-6c5989d5 4605->4607 4608 6c598a0d-6c598a12 4606->4608 4609 6c598992-6c598997 4606->4609 4610 6c598a34-6c598a62 call 6c59f010 Process32FirstW 4607->4610 4611 6c5989d7-6c5989dc 4607->4611 4616 6c598a8b-6c598a90 4608->4616 4617 6c598a14-6c598a2f CloseHandle 4608->4617 4612 6c598999-6c59899e 4609->4612 4613 6c598966-6c598973 4609->4613 4620 6c598a76-6c598a86 4610->4620 4614 6c5989e2-6c5989e7 4611->4614 4615 6c598a64-6c598a71 Process32NextW 4611->4615 4612->4605 4622 6c5989a0-6c5989ca call 6c5a62f5 4612->4622 4613->4605 4614->4605 4623 6c5989e9-6c598a08 4614->4623 4615->4620 4616->4605 4621 6c598a96-6c598aa4 4616->4621 4617->4605 4620->4605 4622->4605 4623->4605
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C59893E
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CreateSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3332741929-0
                                                  • Opcode ID: 05dc4592fbbafd8644af88d407e515e36985e1a420fdf2db0e07addcde2531b4
                                                  • Instruction ID: 3e3465b85f58bd4d89b714def0dc30d4bca3887a6768e9d8c2dda44929f01d1a
                                                  • Opcode Fuzzy Hash: 05dc4592fbbafd8644af88d407e515e36985e1a420fdf2db0e07addcde2531b4
                                                  • Instruction Fuzzy Hash: D8316870209342AFD701DF59C88475ABBE4AF89718F148DAEF488E6260D734D8898B53
                                                  Function 6C413886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4877 6c413886-6c41388e 4878 6c413970-6c41397d 4877->4878 4879 6c413894-6c413896 4877->4879 4881 6c4139f1-6c4139f8 4878->4881 4882 6c41397f-6c413989 4878->4882 4879->4878 4880 6c41389c-6c4138b9 4879->4880 4885 6c4138c0-6c4138c1 4880->4885 4883 6c413ab5-6c413aba 4881->4883 4884 6c4139fe-6c413a03 4881->4884 4882->4880 4886 6c41398f-6c413994 4882->4886 4883->4880 4890 6c413ac0-6c413ac7 4883->4890 4887 6c4138d2-6c4138d4 4884->4887 4888 6c413a09-6c413a2f 4884->4888 4889 6c41395e 4885->4889 4891 6c413b16-6c413b18 4886->4891 4892 6c41399a-6c41399f 4886->4892 4897 6c413957-6c41395c 4887->4897 4895 6c413a35-6c413a3a 4888->4895 4896 6c4138f8-6c413955 4888->4896 4898 6c413960-6c413964 4889->4898 4890->4885 4899 6c413acd-6c413ad6 4890->4899 4891->4885 4893 6c4139a5-6c4139bf 4892->4893 4894 6c41383b-6c413855 call 6c562a20 call 6c562a30 4892->4894 4900 6c413a5a-6c413a5d 4893->4900 4904 6c413860-6c413885 4894->4904 4901 6c413a40-6c413a57 4895->4901 4902 6c413b1d-6c413b22 4895->4902 4896->4897 4897->4889 4898->4904 4905 6c41396a 4898->4905 4899->4891 4906 6c413ad8-6c413aeb 4899->4906 4909 6c413aa9-6c413ab0 4900->4909 4901->4900 4907 6c413b24-6c413b44 4902->4907 4908 6c413b49-6c413b50 4902->4908 4904->4877 4911 6c413ba1-6c413bb6 4905->4911 4906->4896 4912 6c413af1-6c413af8 4906->4912 4907->4909 4908->4885 4916 6c413b56-6c413b5d 4908->4916 4909->4898 4917 6c413bc0-6c413bda call 6c562a20 call 6c562a30 4911->4917 4919 6c413b62-6c413b85 4912->4919 4920 6c413afa-6c413aff 4912->4920 4916->4898 4928 6c413be0-6c413bfe 4917->4928 4919->4896 4922 6c413b8b 4919->4922 4920->4897 4922->4911 4931 6c413c04-6c413c11 4928->4931 4932 6c413e7b 4928->4932 4933 6c413ce0-6c413cea 4931->4933 4934 6c413c17-6c413c20 4931->4934 4935 6c413e81-6c413ee0 call 6c413750 GetCurrentThread NtSetInformationThread 4932->4935 4938 6c413d3a-6c413d3c 4933->4938 4939 6c413cec-6c413d0c 4933->4939 4936 6c413dc5 4934->4936 4937 6c413c26-6c413c2d 4934->4937 4951 6c413eea-6c413f04 call 6c562a20 call 6c562a30 4935->4951 4947 6c413dc6 4936->4947 4941 6c413dc3 4937->4941 4942 6c413c33-6c413c3a 4937->4942 4945 6c413d70-6c413d8d 4938->4945 4946 6c413d3e-6c413d45 4938->4946 4943 6c413d90-6c413d95 4939->4943 4941->4936 4949 6c413c40-6c413c5b 4942->4949 4950 6c413e26-6c413e2b 4942->4950 4953 6c413d97-6c413db8 4943->4953 4954 6c413dba-6c413dc1 4943->4954 4945->4943 4952 6c413d50-6c413d57 4946->4952 4948 6c413dc8-6c413dcc 4947->4948 4948->4928 4955 6c413dd2 4948->4955 4956 6c413e1b-6c413e24 4949->4956 4957 6c413e31 4950->4957 4958 6c413c7b-6c413cd0 4950->4958 4971 6c413f75-6c413fa1 4951->4971 4952->4947 4953->4936 4954->4941 4960 6c413dd7-6c413ddc 4954->4960 4963 6c413e76-6c413e79 4955->4963 4956->4948 4956->4963 4957->4917 4958->4952 4961 6c413e36-6c413e3d 4960->4961 4962 6c413dde-6c413e17 4960->4962 4966 6c413e5c-6c413e5f 4961->4966 4967 6c413e3f-6c413e5a 4961->4967 4962->4956 4963->4935 4966->4958 4969 6c413e65-6c413e69 4966->4969 4967->4956 4969->4948 4969->4963 4975 6c414020-6c414026 4971->4975 4976 6c413fa3-6c413fa8 4971->4976 4979 6c413f06-6c413f35 4975->4979 4980 6c41402c-6c41403c 4975->4980 4977 6c41407c-6c414081 4976->4977 4978 6c413fae-6c413fcf 4976->4978 4983 6c414083-6c41408a 4977->4983 4984 6c4140aa-6c4140ae 4977->4984 4978->4984 4985 6c413f38-6c413f61 4979->4985 4981 6c4140b3-6c4140b8 4980->4981 4982 6c41403e-6c414058 4980->4982 4981->4978 4989 6c4140be-6c4140c9 4981->4989 4986 6c41405a-6c414063 4982->4986 4983->4985 4987 6c414090 4983->4987 4988 6c413f6b-6c413f6f 4984->4988 4990 6c413f64-6c413f67 4985->4990 4991 6c4140f5-6c41413f 4986->4991 4992 6c414069-6c41406c 4986->4992 4987->4951 4993 6c4140a7 4987->4993 4988->4971 4989->4984 4994 6c4140cb-6c4140d4 4989->4994 4995 6c413f69 4990->4995 4991->4995 4996 6c414072-6c414077 4992->4996 4997 6c414144-6c41414b 4992->4997 4993->4984 4994->4993 4998 6c4140d6-6c4140f0 4994->4998 4995->4988 4996->4990 4997->4988 4998->4986
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5a7d1822bdd926e62d616abb37b097aa77abbb60a34a879ae6cf8d012c48fda8
                                                  • Instruction ID: 76d2cce14e2ea661da377eec888e67d0b63b084aec983ebdb7c0c4bb45eed40a
                                                  • Opcode Fuzzy Hash: 5a7d1822bdd926e62d616abb37b097aa77abbb60a34a879ae6cf8d012c48fda8
                                                  • Instruction Fuzzy Hash: F0329132249B018FC324CF28C890FA5B7E3EF95314B698A6DC0EA5BF55D775B44A8B50
                                                  Function 6C413A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: c8e2dd1bf2ea9aba5b31e3a1d893c2daee79fd98d6f42c4d75aefe9aceec984a
                                                  • Instruction ID: 46a26f8efcb3bcb211858e8872d7c6856776aa4fd475d992d6dcb72e731b1ffa
                                                  • Opcode Fuzzy Hash: c8e2dd1bf2ea9aba5b31e3a1d893c2daee79fd98d6f42c4d75aefe9aceec984a
                                                  • Instruction Fuzzy Hash: 9A51F1721587018FC321CF28C884FA5B7E3BF95324F698A5DC0E65BE91DBB4B44A8B41
                                                  Function 6C4139CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CurrentThread
                                                  • String ID:
                                                  • API String ID: 2882836952-0
                                                  • Opcode ID: 02c128c520b65f92fec335adcf0b9ae83fdd3220136be1cc6b82f7ec0ac3a486
                                                  • Instruction ID: 60332717953a0f0ef7553f964a6f534d887874ffb29a07691cea8ca641fc95da
                                                  • Opcode Fuzzy Hash: 02c128c520b65f92fec335adcf0b9ae83fdd3220136be1cc6b82f7ec0ac3a486
                                                  • Instruction Fuzzy Hash: 2751D271118B018FC320CF29C880FA5B7E3BF95364F698A5DC0E65BE95DBB0B4468B91
                                                  Function 6C413D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 6C413E9D
                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C413EAA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentInformation
                                                  • String ID:
                                                  • API String ID: 1650627709-0
                                                  • Opcode ID: 71ded10932110e69513ae27aaec03f21c4234a676a95907c782474b4060692fa
                                                  • Instruction ID: ed1ecf4af04a48e20ef267cc955b2188fc8b135876621aa39abc00c334a32177
                                                  • Opcode Fuzzy Hash: 71ded10932110e69513ae27aaec03f21c4234a676a95907c782474b4060692fa
                                                  • Instruction Fuzzy Hash: 0C310231259B01CFC320CF28C894FE6BBA3AF96314F194A1CC0E65BE91DBB4740A8B51
                                                  Function 6C413D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 6C413E9D
                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C413EAA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentInformation
                                                  • String ID:
                                                  • API String ID: 1650627709-0
                                                  • Opcode ID: 412c83a1aee3195b94524c3e430d1f35f755d5e88ecb74dd948d10f03395bcaa
                                                  • Instruction ID: 4d3c193a59aa87aa53d2e91c55fac771ba0fc27fb1def681e12ad42798f679f0
                                                  • Opcode Fuzzy Hash: 412c83a1aee3195b94524c3e430d1f35f755d5e88ecb74dd948d10f03395bcaa
                                                  • Instruction Fuzzy Hash: C631E131118701CFC724CF28C894FA6BBB2AF96358F694A1CC0E65BE81DBB17446CB51
                                                  Function 6C413C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentThread.KERNEL32 ref: 6C413E9D
                                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C413EAA
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Thread$CurrentInformation
                                                  • String ID:
                                                  • API String ID: 1650627709-0
                                                  • Opcode ID: 13c988e3ed2f6192879ef9f807ddbe410bdef322efed568862dcab6768fcec8c
                                                  • Instruction ID: d740e9e953dcf6df385dd0aedafd86e1d96ee4faf8124fdf73ed0ad4207f0b52
                                                  • Opcode Fuzzy Hash: 13c988e3ed2f6192879ef9f807ddbe410bdef322efed568862dcab6768fcec8c
                                                  • Instruction Fuzzy Hash: 1521F47021C701CFD724CF24C894FA677B2AF56359F194A1DC0E68BE90DBB474058B51
                                                  Function 6C598810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C598820
                                                  • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C5988C5
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Open$ManagerService
                                                  • String ID:
                                                  • API String ID: 2351955762-0
                                                  • Opcode ID: d09bee212ed012386d010f3de3cb23282d1083ed8e66a3cb6b6f2757c6386d51
                                                  • Instruction ID: 0f0c1598b613f4594fbadac586871d4d01bad0eb15dc0ddabd9a1e5cd7fce790
                                                  • Opcode Fuzzy Hash: d09bee212ed012386d010f3de3cb23282d1083ed8e66a3cb6b6f2757c6386d51
                                                  • Instruction Fuzzy Hash: A5310874618342AFC700DF29C889A0EBBF0AB89354F548D9EF498D7361D371C8488B67
                                                  Function 6C58E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 6C58E0AC
                                                  • FindClose.KERNEL32(000000FF), ref: 6C58E0E2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: a704ca9a1de04ba1e935654e319982e1ba296107e621dbf709cbb2f504e9419d
                                                  • Instruction ID: 8453053a885db0aa3c7a46b7708a635b1de59b2e498aaf28764b8299b00dd6ef
                                                  • Opcode Fuzzy Hash: a704ca9a1de04ba1e935654e319982e1ba296107e621dbf709cbb2f504e9419d
                                                  • Instruction Fuzzy Hash: 65113D7850D361DFC710CF28C94454ABBF4AF86715F144D4AF4A8C7790D774D9888B82
                                                  Function 6C5B01C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3722 6c5b01c3-6c5b01d3 3723 6c5b01ed-6c5b01ef 3722->3723 3724 6c5b01d5-6c5b01e8 call 6c5a30cf call 6c5a30bc 3722->3724 3726 6c5b01f5-6c5b01fb 3723->3726 3727 6c5b0554-6c5b0561 call 6c5a30cf call 6c5a30bc 3723->3727 3741 6c5b056c 3724->3741 3726->3727 3730 6c5b0201-6c5b0227 3726->3730 3746 6c5b0567 call 6c5a3810 3727->3746 3730->3727 3733 6c5b022d-6c5b0236 3730->3733 3734 6c5b0238-6c5b024b call 6c5a30cf call 6c5a30bc 3733->3734 3735 6c5b0250-6c5b0252 3733->3735 3734->3746 3739 6c5b0258-6c5b025b 3735->3739 3740 6c5b0550-6c5b0552 3735->3740 3739->3740 3745 6c5b0261-6c5b0265 3739->3745 3744 6c5b056f-6c5b0572 3740->3744 3741->3744 3745->3734 3749 6c5b0267-6c5b027e 3745->3749 3746->3741 3751 6c5b02cf-6c5b02d5 3749->3751 3752 6c5b0280-6c5b0283 3749->3752 3753 6c5b029b-6c5b02b2 call 6c5a30cf call 6c5a30bc call 6c5a3810 3751->3753 3754 6c5b02d7-6c5b02e1 3751->3754 3755 6c5b0293-6c5b0299 3752->3755 3756 6c5b0285-6c5b028e 3752->3756 3786 6c5b0487 3753->3786 3757 6c5b02e8-6c5b0306 call 6c5a7ee5 call 6c5a7eab * 2 3754->3757 3758 6c5b02e3-6c5b02e5 3754->3758 3755->3753 3760 6c5b02b7-6c5b02ca 3755->3760 3759 6c5b0353-6c5b0363 3756->3759 3796 6c5b0308-6c5b031e call 6c5a30bc call 6c5a30cf 3757->3796 3797 6c5b0323-6c5b034c call 6c5ae359 3757->3797 3758->3757 3762 6c5b0369-6c5b0375 3759->3762 3763 6c5b0428-6c5b0431 call 6c5b50d5 3759->3763 3760->3759 3762->3763 3767 6c5b037b-6c5b037d 3762->3767 3775 6c5b0433-6c5b0445 3763->3775 3776 6c5b04a4 3763->3776 3767->3763 3772 6c5b0383-6c5b03a7 3767->3772 3772->3763 3777 6c5b03a9-6c5b03bf 3772->3777 3775->3776 3781 6c5b0447-6c5b0456 GetConsoleMode 3775->3781 3779 6c5b04a8-6c5b04c0 ReadFile 3776->3779 3777->3763 3782 6c5b03c1-6c5b03c3 3777->3782 3784 6c5b051c-6c5b0527 GetLastError 3779->3784 3785 6c5b04c2-6c5b04c8 3779->3785 3781->3776 3787 6c5b0458-6c5b045c 3781->3787 3782->3763 3788 6c5b03c5-6c5b03eb 3782->3788 3790 6c5b0529-6c5b053b call 6c5a30bc call 6c5a30cf 3784->3790 3791 6c5b0540-6c5b0543 3784->3791 3785->3784 3792 6c5b04ca 3785->3792 3794 6c5b048a-6c5b0494 call 6c5a7eab 3786->3794 3787->3779 3793 6c5b045e-6c5b0478 ReadConsoleW 3787->3793 3788->3763 3795 6c5b03ed-6c5b0403 3788->3795 3790->3786 3803 6c5b0549-6c5b054b 3791->3803 3804 6c5b0480-6c5b0486 call 6c5a30e2 3791->3804 3799 6c5b04cd-6c5b04df 3792->3799 3801 6c5b047a GetLastError 3793->3801 3802 6c5b0499-6c5b04a2 3793->3802 3794->3744 3795->3763 3806 6c5b0405-6c5b0407 3795->3806 3796->3786 3797->3759 3799->3794 3810 6c5b04e1-6c5b04e5 3799->3810 3801->3804 3802->3799 3803->3794 3804->3786 3806->3763 3814 6c5b0409-6c5b0423 3806->3814 3817 6c5b04fe-6c5b0509 3810->3817 3818 6c5b04e7-6c5b04f7 call 6c5b05ee 3810->3818 3814->3763 3823 6c5b050b call 6c5b0573 3817->3823 3824 6c5b0515-6c5b051a call 6c5b08a6 3817->3824 3829 6c5b04fa-6c5b04fc 3818->3829 3830 6c5b0510-6c5b0513 3823->3830 3824->3830 3829->3794 3830->3829
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8Q
                                                  • API String ID: 0-4022487301
                                                  • Opcode ID: 4c3aded1c40b8d4dfbd4a2ba52f36289875ef736f6fe3b94822874086a21a66d
                                                  • Instruction ID: 78983e18c753ed60533cb8ae5d855a712b43e15b7f9f6c896f45cb9d809da6d1
                                                  • Opcode Fuzzy Hash: 4c3aded1c40b8d4dfbd4a2ba52f36289875ef736f6fe3b94822874086a21a66d
                                                  • Instruction Fuzzy Hash: CAC1D2B0A04285DFDB01CF9ACEA0BADBFB0BF8A318F10455AD514A7B91C731D946CB61
                                                  Function 6C5B775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 3831 6c5b775c-6c5b778c call 6c5b7bdc 3834 6c5b778e-6c5b7799 call 6c5a30cf 3831->3834 3835 6c5b77a7-6c5b77b3 call 6c5b4cfc 3831->3835 3840 6c5b779b-6c5b77a2 call 6c5a30bc 3834->3840 3841 6c5b77cc-6c5b7815 call 6c5b7b47 3835->3841 3842 6c5b77b5-6c5b77ca call 6c5a30cf call 6c5a30bc 3835->3842 3851 6c5b7a81-6c5b7a85 3840->3851 3849 6c5b7882-6c5b788b GetFileType 3841->3849 3850 6c5b7817-6c5b7820 3841->3850 3842->3840 3855 6c5b788d-6c5b78be GetLastError call 6c5a30e2 CloseHandle 3849->3855 3856 6c5b78d4-6c5b78d7 3849->3856 3853 6c5b7822-6c5b7826 3850->3853 3854 6c5b7857-6c5b787d GetLastError call 6c5a30e2 3850->3854 3853->3854 3860 6c5b7828-6c5b7855 call 6c5b7b47 3853->3860 3854->3840 3855->3840 3870 6c5b78c4-6c5b78cf call 6c5a30bc 3855->3870 3858 6c5b78d9-6c5b78de 3856->3858 3859 6c5b78e0-6c5b78e6 3856->3859 3863 6c5b78ea-6c5b7938 call 6c5b4ea0 3858->3863 3859->3863 3864 6c5b78e8 3859->3864 3860->3849 3860->3854 3874 6c5b793a-6c5b7946 call 6c5b7d56 3863->3874 3875 6c5b7957-6c5b797f call 6c5b7e00 3863->3875 3864->3863 3870->3840 3874->3875 3882 6c5b7948 3874->3882 3880 6c5b7981-6c5b7982 3875->3880 3881 6c5b7984-6c5b79c5 3875->3881 3883 6c5b794a-6c5b7952 call 6c5af015 3880->3883 3884 6c5b79c7-6c5b79cb 3881->3884 3885 6c5b79e6-6c5b79f4 3881->3885 3882->3883 3883->3851 3884->3885 3886 6c5b79cd-6c5b79e1 3884->3886 3887 6c5b79fa-6c5b79fe 3885->3887 3888 6c5b7a7f 3885->3888 3886->3885 3887->3888 3890 6c5b7a00-6c5b7a33 CloseHandle call 6c5b7b47 3887->3890 3888->3851 3894 6c5b7a67-6c5b7a7b 3890->3894 3895 6c5b7a35-6c5b7a61 GetLastError call 6c5a30e2 call 6c5b4e0f 3890->3895 3894->3888 3895->3894
                                                  APIs
                                                    • Part of subcall function 6C5B7B47: CreateFileW.KERNEL32(00000000,00000000,?,6C5B7805,?,?,00000000,?,6C5B7805,00000000,0000000C), ref: 6C5B7B64
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5B7870
                                                  • __dosmaperr.LIBCMT ref: 6C5B7877
                                                  • GetFileType.KERNEL32(00000000), ref: 6C5B7883
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C5B788D
                                                  • __dosmaperr.LIBCMT ref: 6C5B7896
                                                  • CloseHandle.KERNEL32(00000000), ref: 6C5B78B6
                                                  • CloseHandle.KERNEL32(6C5AE7C0), ref: 6C5B7A03
                                                  • GetLastError.KERNEL32 ref: 6C5B7A35
                                                  • __dosmaperr.LIBCMT ref: 6C5B7A3C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                  • String ID: 8Q
                                                  • API String ID: 4237864984-4022487301
                                                  • Opcode ID: b17a1d458fe7b1ef922791128356c8b5559e436ae5712b6a19bfd608d2694264
                                                  • Instruction ID: a63913fca95171445d1876dd856cd0c6f05621c6d31088a25d36d4073f8732f6
                                                  • Opcode Fuzzy Hash: b17a1d458fe7b1ef922791128356c8b5559e436ae5712b6a19bfd608d2694264
                                                  • Instruction Fuzzy Hash: 1EA11432A045059FCF09DF68CCA1BAD7FB1AB4A368F18014DE811FB790D735990ACBA5
                                                  Function 6C56B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C56B62F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID: *$,=ym$-=ym$-=ym$B$H
                                                  • API String ID: 3934441357-3163594065
                                                  • Opcode ID: c9bd6251953b853e3f7967ce6ced46299157e90cf1f9b20158d4b53e3b1d0745
                                                  • Instruction ID: 0de382d12a196bfdfcdc5051df316f6f3dc1c30fd0b035947f5505bd492f2fbb
                                                  • Opcode Fuzzy Hash: c9bd6251953b853e3f7967ce6ced46299157e90cf1f9b20158d4b53e3b1d0745
                                                  • Instruction Fuzzy Hash: 3C728C706093458FCB14DF2AC89069EB7E1AF99304F188E1EF499CBB61E774D8859B43
                                                  Function 6C414200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ;T55
                                                  • API String ID: 0-2572755013
                                                  • Opcode ID: be6fbc64b88486d0fea53c6bc3cb9b5444f1b6bbb921b5a7fcb29a7253b0854f
                                                  • Instruction ID: 297fddeb9308ccc8936ee5037b49b7eff7e269a27f40cbb5773f75e33bd32dcb
                                                  • Opcode Fuzzy Hash: be6fbc64b88486d0fea53c6bc3cb9b5444f1b6bbb921b5a7fcb29a7253b0854f
                                                  • Instruction Fuzzy Hash: D503F431645B018FC728CF29C8D0E95B7F2AFD53287598B6DC0AA4BB95D778B44ACB40
                                                  Function 6C5986E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4469 6c5986e0-6c598767 CreateProcessA 4470 6c59878b-6c598794 4469->4470 4471 6c5987b0-6c5987fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6c598796-6c59879b 4470->4472 4471->4470 4473 6c59879d-6c5987a2 4472->4473 4474 6c598770-6c598783 4472->4474 4473->4470 4475 6c5987a4-6c598807 4473->4475 4474->4470
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle$CreateObjectProcessSingleWait
                                                  • String ID: D
                                                  • API String ID: 2059082233-2746444292
                                                  • Opcode ID: 43927a08b25472aa779fefe7fc8592b1d8a06e1b38cf42447d33dbf8ed36de19
                                                  • Instruction ID: 66402e32ca0f5bf1c97021b7941505b12705e50dd69a821ffb6d9b2b846420fa
                                                  • Opcode Fuzzy Hash: 43927a08b25472aa779fefe7fc8592b1d8a06e1b38cf42447d33dbf8ed36de19
                                                  • Instruction Fuzzy Hash: 5531E0B18093808FD740DF29D58471ABBF0AB99318F505A1EF8D986360D7799984CF87
                                                  Function 6C5AF34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4477 6c5af34e-6c5af36a 4478 6c5af529 4477->4478 4479 6c5af370-6c5af372 4477->4479 4480 6c5af52b-6c5af52f 4478->4480 4481 6c5af394-6c5af3b5 4479->4481 4482 6c5af374-6c5af387 call 6c5a30cf call 6c5a30bc call 6c5a3810 4479->4482 4484 6c5af3bc-6c5af3c2 4481->4484 4485 6c5af3b7-6c5af3ba 4481->4485 4499 6c5af38c-6c5af38f 4482->4499 4484->4482 4487 6c5af3c4-6c5af3c9 4484->4487 4485->4484 4485->4487 4489 6c5af3da-6c5af3eb call 6c5af530 4487->4489 4490 6c5af3cb-6c5af3d7 call 6c5ae359 4487->4490 4497 6c5af42c-6c5af43e 4489->4497 4498 6c5af3ed-6c5af3ef 4489->4498 4490->4489 4502 6c5af440-6c5af449 4497->4502 4503 6c5af485-6c5af4a7 WriteFile 4497->4503 4500 6c5af3f1-6c5af3f9 4498->4500 4501 6c5af416-6c5af422 call 6c5af5a1 4498->4501 4499->4480 4504 6c5af4bb-6c5af4be 4500->4504 4505 6c5af3ff-6c5af40c call 6c5af94b 4500->4505 4513 6c5af427-6c5af42a 4501->4513 4509 6c5af44b-6c5af44e 4502->4509 4510 6c5af475-6c5af483 call 6c5af9b3 4502->4510 4507 6c5af4a9-6c5af4af GetLastError 4503->4507 4508 6c5af4b2 4503->4508 4515 6c5af4c1-6c5af4c6 4504->4515 4522 6c5af40f-6c5af411 4505->4522 4507->4508 4514 6c5af4b5-6c5af4ba 4508->4514 4516 6c5af450-6c5af453 4509->4516 4517 6c5af465-6c5af473 call 6c5afb77 4509->4517 4510->4513 4513->4522 4514->4504 4523 6c5af4c8-6c5af4cd 4515->4523 4524 6c5af524-6c5af527 4515->4524 4516->4515 4518 6c5af455-6c5af463 call 6c5afa8e 4516->4518 4517->4513 4518->4513 4522->4514 4525 6c5af4f9-6c5af505 4523->4525 4526 6c5af4cf-6c5af4d4 4523->4526 4524->4480 4532 6c5af50c-6c5af51f call 6c5a30bc call 6c5a30cf 4525->4532 4533 6c5af507-6c5af50a 4525->4533 4529 6c5af4ed-6c5af4f4 call 6c5a30e2 4526->4529 4530 6c5af4d6-6c5af4e8 call 6c5a30bc call 6c5a30cf 4526->4530 4529->4499 4530->4499 4532->4499 4533->4478 4533->4532
                                                  APIs
                                                    • Part of subcall function 6C5AF5A1: GetConsoleCP.KERNEL32(?,6C5AE7C0,?), ref: 6C5AF5E9
                                                  • WriteFile.KERNEL32(?,?,6C5B7DDC,00000000,00000000,?,00000000,00000000,6C5B91A6,00000000,00000000,?,00000000,6C5AE7C0,6C5B7DDC,00000000), ref: 6C5AF49F
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C5B7DDC,6C5AE7C0,00000000,?,?,?,?,00000000,?), ref: 6C5AF4A9
                                                  • __dosmaperr.LIBCMT ref: 6C5AF4EE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                                  • String ID: 8Q
                                                  • API String ID: 251514795-4022487301
                                                  • Opcode ID: 5c88c225defb8a80b5a6d4d29e4fd9ab310cd4d50a8302e620d3a33e94b86270
                                                  • Instruction ID: 1206c97b728f3d6eeb318950f613823a5ee1296f7c1ee9d7ed54755ecddd3d35
                                                  • Opcode Fuzzy Hash: 5c88c225defb8a80b5a6d4d29e4fd9ab310cd4d50a8302e620d3a33e94b86270
                                                  • Instruction Fuzzy Hash: 9551D371A0010AEFDB00CFE6CC80BDEBBB8EF49358F140656D510ABA51D775D94787A5
                                                  Function 6C599280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4544 6c599280-6c59928c 4545 6c5992cd 4544->4545 4546 6c59928e-6c599299 4544->4546 4547 6c5992cf-6c599347 4545->4547 4548 6c59929b-6c5992ad 4546->4548 4549 6c5992af-6c5992bc call 6c4601f0 call 6c5a4208 4546->4549 4550 6c599349-6c599371 4547->4550 4551 6c599373-6c599379 4547->4551 4548->4549 4558 6c5992c1-6c5992cb 4549->4558 4550->4551 4553 6c59937a-6c599439 call 6c462250 call 6c462340 call 6c59ca69 call 6c45e010 call 6c59a778 4550->4553 4558->4547
                                                  APIs
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C599421
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 323602529-1866435925
                                                  • Opcode ID: 387fa8284e00d25aff7b3938e4426ee367828688d05d34e7e2b8605b869e3b26
                                                  • Instruction ID: 087d5a2efff22bbb84241aab89807f7a60a509ea122a68cf60ad746d97857ad6
                                                  • Opcode Fuzzy Hash: 387fa8284e00d25aff7b3938e4426ee367828688d05d34e7e2b8605b869e3b26
                                                  • Instruction Fuzzy Hash: DE5144B5A00B408FD725CF29C881B97BBF1BB88318F048A6DD88647B90D775B909CF90
                                                  Function 6C56CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4567 6c56cea0-6c56cf03 call 6c59a260 4570 6c56cf40-6c56cf49 4567->4570 4571 6c56cf90-6c56cf95 4570->4571 4572 6c56cf4b-6c56cf50 4570->4572 4575 6c56d030-6c56d035 4571->4575 4576 6c56cf9b-6c56cfa0 4571->4576 4573 6c56cf56-6c56cf5b 4572->4573 4574 6c56d000-6c56d005 4572->4574 4581 6c56d065-6c56d08c 4573->4581 4582 6c56cf61-6c56cf66 4573->4582 4577 6c56d125-6c56d158 call 6c59ea90 4574->4577 4578 6c56d00b-6c56d010 4574->4578 4579 6c56d17d-6c56d191 4575->4579 4580 6c56d03b-6c56d040 4575->4580 4583 6c56cfa6-6c56cfab 4576->4583 4584 6c56cf05-6c56cf21 WriteFile 4576->4584 4577->4570 4587 6c56d016-6c56d01b 4578->4587 4588 6c56d15d-6c56d175 4578->4588 4585 6c56d195-6c56d1a2 4579->4585 4589 6c56d046-6c56d060 4580->4589 4590 6c56d1a7-6c56d1ac 4580->4590 4593 6c56cf33-6c56cf38 4581->4593 4591 6c56d091-6c56d0aa WriteFile 4582->4591 4592 6c56cf6c-6c56cf71 4582->4592 4595 6c56cfb1-6c56cfb6 4583->4595 4596 6c56d0af-6c56d120 WriteFile 4583->4596 4586 6c56cf30 4584->4586 4585->4570 4586->4593 4587->4570 4598 6c56d021-6c56d02b 4587->4598 4588->4579 4589->4585 4590->4570 4597 6c56d1b2-6c56d1c0 4590->4597 4591->4586 4592->4570 4599 6c56cf73-6c56cf86 4592->4599 4593->4570 4595->4570 4601 6c56cfb8-6c56cfee call 6c59f010 ReadFile 4595->4601 4596->4586 4598->4586 4599->4593 4601->4586
                                                  APIs
                                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C56CFE1
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 5f3f7302b534e655d4a51e8b710c3ef61fb4dc1c8d4a418d7c095ce1d4f176a8
                                                  • Instruction ID: 1fd914a55b07235c8d612800cf767b8db5f53760d42d53e76bf0aa9cde9bd2e5
                                                  • Opcode Fuzzy Hash: 5f3f7302b534e655d4a51e8b710c3ef61fb4dc1c8d4a418d7c095ce1d4f176a8
                                                  • Instruction Fuzzy Hash: 88714FB0249341AFDB10DF1AC884B5AFBE4BF89708F504D1EF494C7A60E7B5D9848B92
                                                  Function 6C56C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4626 6c56c390-6c56c406 call 6c59a260 call 6c59f010 4631 6c56c426-6c56c42f 4626->4631 4632 6c56c490-6c56c495 4631->4632 4633 6c56c431-6c56c436 4631->4633 4634 6c56c570-6c56c575 4632->4634 4635 6c56c49b-6c56c4a0 4632->4635 4636 6c56c500-6c56c505 4633->4636 4637 6c56c43c-6c56c441 4633->4637 4642 6c56c6d6-6c56c6db 4634->4642 4643 6c56c57b-6c56c580 4634->4643 4644 6c56c4a6-6c56c4ab 4635->4644 4645 6c56c638-6c56c63d 4635->4645 4640 6c56c50b-6c56c510 4636->4640 4641 6c56c679-6c56c67e 4636->4641 4638 6c56c447-6c56c44c 4637->4638 4639 6c56c5bf-6c56c5c4 4637->4639 4646 6c56c742-6c56c747 4638->4646 4647 6c56c452-6c56c457 4638->4647 4660 6c56c863-6c56c868 4639->4660 4661 6c56c5ca-6c56c5cf 4639->4661 4648 6c56c516-6c56c51b 4640->4648 4649 6c56c7de-6c56c7e3 4640->4649 4652 6c56c684-6c56c689 4641->4652 4653 6c56c8e2-6c56c8e7 4641->4653 4658 6c56c912-6c56c917 4642->4658 4659 6c56c6e1-6c56c6e6 4642->4659 4654 6c56c586-6c56c58b 4643->4654 4655 6c56c830-6c56c835 4643->4655 4656 6c56c796-6c56c79b 4644->4656 4657 6c56c4b1-6c56c4b6 4644->4657 4650 6c56c643-6c56c648 4645->4650 4651 6c56c8ab-6c56c8b0 4645->4651 4662 6c56cca3-6c56ccba 4646->4662 4663 6c56c74d-6c56c752 4646->4663 4678 6c56c93d-6c56c95b 4647->4678 4679 6c56c45d-6c56c462 4647->4679 4664 6c56c9a3-6c56c9b3 4648->4664 4665 6c56c521-6c56c526 4648->4665 4668 6c56ccfa-6c56cd23 4649->4668 4669 6c56c7e9-6c56c7ee 4649->4669 4680 6c56c64e-6c56c653 4650->4680 4681 6c56cb08-6c56cb34 4650->4681 4682 6c56c8b6-6c56c8bb 4651->4682 4683 6c56cdda-6c56cdf1 4651->4683 4686 6c56cb61-6c56cb85 4652->4686 4687 6c56c68f-6c56c694 4652->4687 4684 6c56c8ed-6c56c8f2 4653->4684 4685 6c56cdf9-6c56ce12 4653->4685 4670 6c56c591-6c56c596 4654->4670 4671 6c56c9fe-6c56ca3a 4654->4671 4672 6c56cd6c-6c56cd88 4655->4672 4673 6c56c83b-6c56c840 4655->4673 4666 6c56c7a1-6c56c7a6 4656->4666 4667 6c56c408-6c56c418 4656->4667 4688 6c56c4bc-6c56c4c1 4657->4688 4689 6c56c97a-6c56c984 4657->4689 4690 6c56c91d-6c56c922 4658->4690 4691 6c56ce1a-6c56ce29 4658->4691 4692 6c56cc12-6c56cc4d call 6c59f010 call 6c56b4d0 4659->4692 4693 6c56c6ec-6c56c6f1 4659->4693 4676 6c56cdb7-6c56cdbf 4660->4676 4677 6c56c86e-6c56c873 4660->4677 4674 6c56c5d5-6c56c5da 4661->4674 4675 6c56ca71-6c56ca9b call 6c59ea90 4661->4675 4704 6c56ccbc-6c56ccc4 4662->4704 4710 6c56c758-6c56c75d 4663->4710 4711 6c56ccc9-6c56ccd8 4663->4711 4695 6c56c9bd-6c56c9c5 4664->4695 4694 6c56c52c-6c56c531 4665->4694 4665->4695 4713 6c56cce0-6c56ccf5 4666->4713 4714 6c56c7ac-6c56c7b1 4666->4714 4717 6c56c41d 4667->4717 4668->4631 4715 6c56c7f4-6c56c7f9 4669->4715 4716 6c56cd28-6c56cd67 4669->4716 4697 6c56ca43-6c56ca6c 4670->4697 4698 6c56c59c-6c56c5a1 4670->4698 4671->4697 4709 6c56cd8a-6c56cd98 4672->4709 4718 6c56c846-6c56c84b 4673->4718 4719 6c56cd9d-6c56cdad 4673->4719 4699 6c56caa0-6c56cb03 call 6c56ce50 CreateFileA 4674->4699 4700 6c56c5e0-6c56c5e5 4674->4700 4675->4631 4712 6c56cdc4-6c56cdd5 4676->4712 4720 6c56ce31-6c56ce36 4677->4720 4721 6c56c879-6c56c8a6 4677->4721 4678->4709 4722 6c56c960-6c56c975 4679->4722 4723 6c56c468-6c56c46d 4679->4723 4702 6c56cb39-6c56cb5c 4680->4702 4703 6c56c659-6c56c65e 4680->4703 4681->4631 4682->4631 4724 6c56c8c1-6c56c8dd 4682->4724 4683->4685 4684->4631 4725 6c56c8f8-6c56c90d 4684->4725 4685->4691 4686->4631 4705 6c56cb8a-6c56cc0d 4687->4705 4706 6c56c69a-6c56c69f 4687->4706 4726 6c56c4c7-6c56c4cc 4688->4726 4727 6c56c989-6c56c99e 4688->4727 4689->4631 4690->4631 4728 6c56c928-6c56c938 4690->4728 4691->4720 4751 6c56cc52-6c56cc72 4692->4751 4707 6c56cc77-6c56cc88 4693->4707 4708 6c56c6f7-6c56c6fc 4693->4708 4694->4631 4731 6c56c537-6c56c561 4694->4731 4730 6c56c9ca-6c56c9f9 4695->4730 4697->4631 4698->4631 4733 6c56c5a7-6c56c5ba 4698->4733 4699->4631 4700->4631 4735 6c56c5eb-6c56c633 4700->4735 4702->4631 4703->4631 4737 6c56c664-6c56c674 4703->4737 4704->4631 4705->4631 4706->4631 4739 6c56c6a5-6c56c6d1 4706->4739 4738 6c56cc8d-6c56cc9e 4707->4738 4708->4631 4740 6c56c702-6c56c73d 4708->4740 4709->4631 4710->4631 4741 6c56c763-6c56c791 4710->4741 4711->4713 4712->4631 4713->4717 4714->4631 4742 6c56c7b7-6c56c7d9 4714->4742 4715->4631 4743 6c56c7ff-6c56c82b 4715->4743 4716->4631 4729 6c56c420-6c56c424 4717->4729 4718->4631 4745 6c56c851-6c56c85e 4718->4745 4719->4676 4720->4631 4744 6c56ce3c-6c56ce47 4720->4744 4721->4631 4722->4631 4723->4631 4746 6c56c46f-6c56c483 4723->4746 4724->4738 4725->4631 4726->4631 4747 6c56c4d2-6c56c4fa call 6c562a20 call 6c562a30 4726->4747 4727->4729 4728->4712 4729->4631 4730->4631 4731->4631 4733->4631 4735->4631 4737->4730 4738->4631 4739->4631 4740->4631 4741->4704 4742->4709 4743->4631 4745->4730 4746->4712 4747->4631 4751->4631
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @*Z$@*Z
                                                  • API String ID: 0-2842812045
                                                  • Opcode ID: 435dfe9ca7a78947b7f40b00ff72def437a1aef90531a7d3b34d570032a72a83
                                                  • Instruction ID: 407bd88ac652ecccc77d6a48f2b1e4492cc78a1fcd9cd1a0ce50ab4de47b7ac2
                                                  • Opcode Fuzzy Hash: 435dfe9ca7a78947b7f40b00ff72def437a1aef90531a7d3b34d570032a72a83
                                                  • Instruction Fuzzy Hash: 8D4269706093428FCB24DF19C89166ABBE1ABC9309F244D6EF49AC7B61D335E9458B13
                                                  Function 6C5AF015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 4755 6c5af015-6c5af029 call 6c5b4c92 4758 6c5af02b-6c5af02d 4755->4758 4759 6c5af02f-6c5af037 4755->4759 4760 6c5af07d-6c5af09d call 6c5b4e0f 4758->4760 4761 6c5af039-6c5af040 4759->4761 4762 6c5af042-6c5af045 4759->4762 4771 6c5af0ab 4760->4771 4772 6c5af09f-6c5af0a9 call 6c5a30e2 4760->4772 4761->4762 4764 6c5af04d-6c5af061 call 6c5b4c92 * 2 4761->4764 4765 6c5af063-6c5af073 call 6c5b4c92 CloseHandle 4762->4765 4766 6c5af047-6c5af04b 4762->4766 4764->4758 4764->4765 4765->4758 4774 6c5af075-6c5af07b GetLastError 4765->4774 4766->4764 4766->4765 4776 6c5af0ad-6c5af0b0 4771->4776 4772->4776 4774->4760
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,6C5B794F), ref: 6C5AF06B
                                                  • GetLastError.KERNEL32(?,00000000,?,6C5B794F), ref: 6C5AF075
                                                  • __dosmaperr.LIBCMT ref: 6C5AF0A0
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                  • String ID:
                                                  • API String ID: 2583163307-0
                                                  • Opcode ID: 459b7aa73f2f7c95d94c603af302d9676ab1058e9ce356f1663c1a0a2f73a250
                                                  • Instruction ID: 447f3af75a7959f59364c6b8a6a6bb06e6afef65724e58cf6d8c9a2bc7aee79e
                                                  • Opcode Fuzzy Hash: 459b7aa73f2f7c95d94c603af302d9676ab1058e9ce356f1663c1a0a2f73a250
                                                  • Instruction Fuzzy Hash: 51016F3370522056C21115BB9C9476E37596BC3B3CF254749E61597BC0DF7498464391
                                                  Function 6C5A428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 5000 6c5a428c-6c5a4297 5001 6c5a4299-6c5a42ac call 6c5a30bc call 6c5a3810 5000->5001 5002 6c5a42ae-6c5a42bb 5000->5002 5013 6c5a4300-6c5a4302 5001->5013 5004 6c5a42bd-6c5a42d2 call 6c5a43a9 call 6c5abe2e call 6c5ad350 call 6c5aef88 5002->5004 5005 6c5a42f6-6c5a42ff call 6c5ae565 5002->5005 5019 6c5a42d7-6c5a42dc 5004->5019 5005->5013 5020 6c5a42de-6c5a42e1 5019->5020 5021 6c5a42e3-6c5a42e7 5019->5021 5020->5005 5021->5005 5022 6c5a42e9-6c5a42f5 call 6c5a7eab 5021->5022 5022->5005
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 8Q
                                                  • API String ID: 0-4022487301
                                                  • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                  • Instruction ID: d5e489336ae15acdbef83e49767740e205591eac0cfd657e8b007c49520d972e
                                                  • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                                  • Instruction Fuzzy Hash: D7F0F4324416109AD6216AFBAC00BDF32A88FC237CF140B19E92093EC0DF70DC0B86E1
                                                  Function 6C599050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C5991A4
                                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C5991E4
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Ios_base_dtorstd::ios_base::_
                                                  • String ID:
                                                  • API String ID: 323602529-0
                                                  • Opcode ID: 1677976f93f9d8a09f2267cd0b476242a306fddaef0dfc9d3d8a455109abc515
                                                  • Instruction ID: f316bc15efe2a3cb83d0b9d6453b65f51b49264d26c0c525385efbd03f64baa9
                                                  • Opcode Fuzzy Hash: 1677976f93f9d8a09f2267cd0b476242a306fddaef0dfc9d3d8a455109abc515
                                                  • Instruction Fuzzy Hash: 82514371101B40DBD725CF25C895BE6BBF0BB08718F448A5CD4AA4BAA1DB31B949CB81
                                                  Function 6C5A262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(6C5C9DD0,0000000C), ref: 6C5A2642
                                                  • ExitThread.KERNEL32 ref: 6C5A2649
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ErrorExitLastThread
                                                  • String ID:
                                                  • API String ID: 1611280651-0
                                                  • Opcode ID: e056a4e2453d76c5b565f7ae934848853afdbf0b61d744e5cf3bd221cc1f2425
                                                  • Instruction ID: 54f596eaefe2d49f7739998179865f03be6ff50ab89129c61a2355cc59f274cf
                                                  • Opcode Fuzzy Hash: e056a4e2453d76c5b565f7ae934848853afdbf0b61d744e5cf3bd221cc1f2425
                                                  • Instruction Fuzzy Hash: 15F0DC70A00205EFDB00AFB2CC4AAAE3B30FF85308F100148E005A7B51CB70AD06CBA1
                                                  Function 6C5AE662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: __wsopen_s
                                                  • String ID:
                                                  • API String ID: 3347428461-0
                                                  • Opcode ID: 271d5c9fa2472e7a5c18c6795ba3bb966d317ea9f8633086f51f70e9e9874ed5
                                                  • Instruction ID: e5dadd6dc9471dfdab9369e4527c796e9ad1e59560b971e59bcfb36d8304c43f
                                                  • Opcode Fuzzy Hash: 271d5c9fa2472e7a5c18c6795ba3bb966d317ea9f8633086f51f70e9e9874ed5
                                                  • Instruction Fuzzy Hash: EF114C71A0420AAFCF05CF99E94499F7BF8EF49304F144469F805AB311D670ED22CBA5
                                                  Function 6C5B76EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: _free
                                                  • String ID:
                                                  • API String ID: 269201875-0
                                                  • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                  • Instruction ID: f76afba655be58584a678c528837e236a9bd8861a4d7cb3a73f7cb4e2fa02a03
                                                  • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                                  • Instruction Fuzzy Hash: 1E01E872C0115AEFCF019FA88C01AEE7FB5AB48354F144565E924B22A1E7318A659B91
                                                  Function 6C5B7B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,00000000,?,6C5B7805,?,?,00000000,?,6C5B7805,00000000,0000000C), ref: 6C5B7B64
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: c317bd3186057cd44b5c1b473b5ea96a4961f14a668c64f91542377f3405506e
                                                  • Instruction ID: 520399b5f9dce172703f590b744e3e0c2dcb81b87d4548c9f889ffb52e5a5bfe
                                                  • Opcode Fuzzy Hash: c317bd3186057cd44b5c1b473b5ea96a4961f14a668c64f91542377f3405506e
                                                  • Instruction Fuzzy Hash: 6BD06C3210014DBBDF028E85DC06EDA3BAAFB58755F014000BA1856020C736E961AB94
                                                  Function 6C4683A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                  • Instruction ID: 402340670cbb572cab78ed27e0cda09c2d07e38fd28436923b1421a4c6dff99e
                                                  • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                                  • Instruction Fuzzy Hash:

                                                  Non-executed Functions

                                                  Function 6C594860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: C
                                                  • API String ID: 4218353326-4157497815
                                                  • Opcode ID: 7cd100c0dd087488f8179537d415514b810be3a5a477522473e943e1437d1bf9
                                                  • Instruction ID: 031e9b425802b634dc4020e69be11bc81973438910cd161adc30f85c506c001e
                                                  • Opcode Fuzzy Hash: 7cd100c0dd087488f8179537d415514b810be3a5a477522473e943e1437d1bf9
                                                  • Instruction Fuzzy Hash: F9731331644B418FC728CF29CCD0A96B7F2AF9531871D8BADC0A787A55EB74B54ACB40
                                                  Function 6C599450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 6C59945A
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C599466
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C599474
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C59949B
                                                  • NtInitiatePowerAction.NTDLL ref: 6C5994AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                                  • String ID: SeShutdownPrivilege
                                                  • API String ID: 3256374457-3733053543
                                                  • Opcode ID: f74d5fac1dc65cdcf45fb3ee53d97ba8c545547e2abadd50d4b70d95f30029fb
                                                  • Instruction ID: 29c3f373225428397c5a41131b29a1d8918a4b48b3af4aa8d2b3e0bd8127d0ce
                                                  • Opcode Fuzzy Hash: f74d5fac1dc65cdcf45fb3ee53d97ba8c545547e2abadd50d4b70d95f30029fb
                                                  • Instruction Fuzzy Hash: CFF0B470644305BBEB40AF28CD0EB5E7BB8EF45701F004608F945AA0C1DB706984CBAB
                                                  Function 6C411950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: \j`7$\j`7$j
                                                  • API String ID: 0-3644614255
                                                  • Opcode ID: 88cb8019d26d2081aca8c243380c7c96469ec9bd82162738127f25392faf3165
                                                  • Instruction ID: 269f596a3dfe59f74fb3260bfba1c1b9f7e8b79a5f9d388d43a8bf1fa8be5e63
                                                  • Opcode Fuzzy Hash: 88cb8019d26d2081aca8c243380c7c96469ec9bd82162738127f25392faf3165
                                                  • Instruction Fuzzy Hash: C742157460D3828FCB24CF68C490A6ABBE1ABDA354F144A1EE4E5D7B60D734D846CB53
                                                  Function 6C5F9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5F9CE5
                                                    • Part of subcall function 6C5CFC2A: __EH_prolog.LIBCMT ref: 6C5CFC2F
                                                    • Part of subcall function 6C5D16A6: __EH_prolog.LIBCMT ref: 6C5D16AB
                                                    • Part of subcall function 6C5F9A0E: __EH_prolog.LIBCMT ref: 6C5F9A13
                                                    • Part of subcall function 6C5F9837: __EH_prolog.LIBCMT ref: 6C5F983C
                                                    • Part of subcall function 6C5FD143: __EH_prolog.LIBCMT ref: 6C5FD148
                                                    • Part of subcall function 6C5FD143: ctype.LIBCPMT ref: 6C5FD16C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ctype
                                                  • String ID:
                                                  • API String ID: 1039218491-3916222277
                                                  • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                                  • Instruction ID: e551eb4beececd62ba22d8fb0db53fd9d19a7b7705c99cf25527d6b6b16b1e11
                                                  • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                                  • Instruction Fuzzy Hash: E103CD30905288DFDF19DFA4CC40BDCBBB0AF95308F244099D46567A91DB74AE8ADF62
                                                  Function 6C5A3871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C5A3969
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C5A3973
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C5A3980
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                  • String ID:
                                                  • API String ID: 3906539128-0
                                                  • Opcode ID: 6f7d4793093face1eb5116d0cdaef2a42920320a4b004bc1c2e55c21d1402f9d
                                                  • Instruction ID: aa814b6c3b37c70e2e92e842f7df1043d49a1f3ae4d74a603f05a6a894c444f2
                                                  • Opcode Fuzzy Hash: 6f7d4793093face1eb5116d0cdaef2a42920320a4b004bc1c2e55c21d1402f9d
                                                  • Instruction Fuzzy Hash: 8A31B1749012299BCB61DF65DD88BCDBBB8BF48314F5046EAE41CA7250EB709B858F48
                                                  Function 6C5A286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000000,?,6C5A2925,6C59D339,00000003,00000000,6C59D339,00000000), ref: 6C5A288F
                                                  • TerminateProcess.KERNEL32(00000000,?,6C5A2925,6C59D339,00000003,00000000,6C59D339,00000000), ref: 6C5A2896
                                                  • ExitProcess.KERNEL32 ref: 6C5A28A8
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Process$CurrentExitTerminate
                                                  • String ID:
                                                  • API String ID: 1703294689-0
                                                  • Opcode ID: ac8df7a1d2103cdf2c3948334999b87c839f120d946c3299b67f6b8c216f7a36
                                                  • Instruction ID: 1647e1682dbf30482b4d253ff5dfa80edbb75fc9600dc2a3784b5c980392e8ee
                                                  • Opcode Fuzzy Hash: ac8df7a1d2103cdf2c3948334999b87c839f120d946c3299b67f6b8c216f7a36
                                                  • Instruction Fuzzy Hash: 92E0B631500609EFCF056F97CC0DA9D3BB9FB85795F124428F81986A21CB36EE82CA84
                                                  Function 6C5CBEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: x=J
                                                  • API String ID: 3519838083-1497497802
                                                  • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                  • Instruction ID: 05851771e8758f44623b51698b57acf7439f4386c7eefdab575410e1eb1eca88
                                                  • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                                  • Instruction Fuzzy Hash: 95917D31E01219DACF04EFE5DC909EDB7B1EF45308F20806DD452A7A51DB31AD4ACB96
                                                  Function 6C59A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C59AFA0
                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C59B7C3
                                                    • Part of subcall function 6C59CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C59B7AC,00000000,?,?,?,6C59B7AC,?,6C5C853C), ref: 6C59CAC9
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                                  • String ID:
                                                  • API String ID: 915016180-0
                                                  • Opcode ID: 9d9a0a82a9ad3ea03c62f74e304393edc7635015d2e8a7a61c66987c2bd00577
                                                  • Instruction ID: 35a11143be1a792302ab59a231bb4c9dc10b3ea21a7775fcabc403bc5b6bcba0
                                                  • Opcode Fuzzy Hash: 9d9a0a82a9ad3ea03c62f74e304393edc7635015d2e8a7a61c66987c2bd00577
                                                  • Instruction Fuzzy Hash: 2AB18B71A0430ADFEB54DFA6C8C169EBBB4FB49718F24816AD416E7680D3389A44CF94
                                                  Function 6C5CB972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @4J$DsL
                                                  • API String ID: 0-2004129199
                                                  • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                  • Instruction ID: 69aa8e52dc55013fd4bf5ca0d22e2199aac4aa1796b75352b226f39c1a5bd236
                                                  • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                                  • Instruction Fuzzy Hash: E72191377A48564BD74CCA28DC33EB92680E749305B88527EE94BCB7E1DF5C8800C64D
                                                  Function 6C5E840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5E840F
                                                    • Part of subcall function 6C5E9137: __EH_prolog.LIBCMT ref: 6C5E913C
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                  • Instruction ID: b2a02a3fe4124309a08f532034ad59b0341dd9da86a885472691e674e2dcdfdc
                                                  • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                                  • Instruction Fuzzy Hash: 50627A71D01219CFDF15CFA8C890BEDBBB5BF48308F1444AAE815ABA80D7749A44CF92
                                                  Function 6C640AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: YA1
                                                  • API String ID: 0-613462611
                                                  • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                  • Instruction ID: b31de389f7cbe8fe666a37b3f479946690794feaab429b7e4885d327ddd30768
                                                  • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                                  • Instruction Fuzzy Hash: 3942C17060D3918FD315CF28C49069ABBE2AFE9308F14CA6DE8D58B742D671D94ACB46
                                                  Function 6C5D3BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: __aullrem
                                                  • String ID:
                                                  • API String ID: 3758378126-0
                                                  • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                  • Instruction ID: 74b2ea0822f5f8b2612ca440ddaae2df846f0bb89898fbaaa7e1aa48fb90fd08
                                                  • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                                  • Instruction Fuzzy Hash: 1651EA72A083459BD710CF5EC8C02E9FBF6AF79214F19C05DE88497242D27A595ACB60
                                                  Function 6C64CE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID: 0-3916222277
                                                  • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                  • Instruction ID: d4b8a4eafec133c792406b7eab39472ca018801b1670f94899b9148e03046d28
                                                  • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                                  • Instruction Fuzzy Hash: 73028B31A083808BD725CF28C49079EBBE2AFC9748F14CA2DE5C597B55C774E949CB46
                                                  Function 6C5CF7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (SL
                                                  • API String ID: 0-669240678
                                                  • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                  • Instruction ID: 3cc12105df5128709d3523645d704f739eb086bacef088d21a4deed45c7c5768
                                                  • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                                  • Instruction Fuzzy Hash: D8519473E208214AD78CCE24DC2177572D2E788310F8BC1B99D8BAB6E6CD78989087C4
                                                  Function 6C6A7A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: B
                                                  • API String ID: 0-1255198513
                                                  • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                  • Instruction ID: ab3f3db57ee9f940d56e0636dc21ca64c38c5017ccf6e846bd85f72a5b7aefa5
                                                  • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                                  • Instruction Fuzzy Hash: 443126315087518BD314DF28D884AABB3E2FBC4325F60CA3DD89ACBA95E7745415CF41
                                                  Function 6C643020 Relevance: .8, Instructions: 762COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                  • Instruction ID: c9ebe97b27e5523ec31ab5a806398a2c1c36ec18dc481154e2a448c471e7b097
                                                  • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                                  • Instruction Fuzzy Hash: 28523B71208B458BD329CF29C5906AAB7E2BF95308F14CA2DD4DAC7B41EB74F849CB45
                                                  Function 6C65D930 Relevance: .7, Instructions: 740COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                  • Instruction ID: 509183879653940c5f99fe7a4a43d8adb3ee95fc8f42d8dc76fc591c10156f24
                                                  • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                                  • Instruction Fuzzy Hash: 836216B1A083418FCB14CF1AC58055AFBF5BFC8744FA48A2EE89987754D770E855CB8A
                                                  Function 6C646D50 Relevance: .5, Instructions: 547COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                  • Instruction ID: 7b95ccdd564eeefec168c16585deacbce3a367f9120a14f7488873126cef9d1e
                                                  • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                                  • Instruction Fuzzy Hash: EC129F712097428FC718CF28C59066ABBE2BFC9348F54C92DE9D687B41DB31E849CB59
                                                  Function 6C657AA0 Relevance: .5, Instructions: 474COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                  • Instruction ID: fa072eb654ce144cbbb1389a75d92ffd22621cb051641ba762fd1586954c9521
                                                  • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                                  • Instruction Fuzzy Hash: 4A022C31A183118FC318CE28C4C0269BBF2FBC4359F658B2EE896D7A54D770D955CB96
                                                  Function 6C642A50 Relevance: .5, Instructions: 453COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                  • Instruction ID: d0eeaac654e168d75b88ad7b4e3998ed3a61d397c8c5a41efd3565a57a1ea554
                                                  • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                                  • Instruction Fuzzy Hash: CEF1F1326042898BEB24CE28D8547EEBBE2FBC5304F64C53DD889CBB41DB35954AC795
                                                  Function 6C6525C0 Relevance: .3, Instructions: 333COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                  • Instruction ID: 7cdf68a39d2c70080698e95763213f3b115bbbdcaf326162a8461b80f4bef698
                                                  • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                                  • Instruction Fuzzy Hash: 8ED147B15047128FD318CF1DC898236BBE1FF86308F654A7DD9A28B386D7349525CB58
                                                  Function 6C6E4F0A Relevance: .3, Instructions: 332COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                  • Instruction ID: 04f796b55fb982e6f710658355315853aec5ea0479c33ddd23b032171531e43a
                                                  • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                                  • Instruction Fuzzy Hash: FFB1C7366087128BE318DE7CD8548FB73E2EBC1320F54863EE596CB9C4DB35951A8B85
                                                  Function 6C645580 Relevance: .3, Instructions: 316COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                  • Instruction ID: 0207749f5a3cab1c3d1165ba5e6db489e78ba7644d7f2bb7c09c73f3387142f0
                                                  • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                                  • Instruction Fuzzy Hash: 2FC193352047418BC719CF39D0A06A7BBE2EFDA314F14CA6DC4DA4BB55DA30A80ECB59
                                                  Function 6C641810 Relevance: .3, Instructions: 296COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                  • Instruction ID: 1d4d411834feb70513c23022b515326d90a59eb55fcaf2cf160a157849d4e2e0
                                                  • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                                  • Instruction Fuzzy Hash: 33B1C031304B458BD324DE39C890BEAB7E6AF85308F04C52DC5AA87B51EF34B949879D
                                                  Function 6C644AA0 Relevance: .3, Instructions: 291COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                  • Instruction ID: d7d78c3a8eee9d2416e500541c145efe5670822b31c1d24b61039e4d19c72da5
                                                  • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                                  • Instruction Fuzzy Hash: 03B19C756087028BC304DF29C8806ABF7E2FFC9304F18C92DE49987715E7B1A55ACB99
                                                  Function 6C64C9F0 Relevance: .3, Instructions: 287COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                  • Instruction ID: f71cd132618026e54e270c91e421bead346a96c10e3a2760ac46b7eeb44891df
                                                  • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                                  • Instruction Fuzzy Hash: 73A1D4716083419FC318DF2DC49069ABBE1ABD5348F54CA2DE4D787B41D631E98ECB4A
                                                  Function 6C64C6E0 Relevance: .2, Instructions: 223COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                  • Instruction ID: 23e38da114d83ec91006b191ce46a32806b432884ae798e7792b7a8e29d58d23
                                                  • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                                  • Instruction Fuzzy Hash: 0581B435A047058FC320DF29C480296F7E1FF99718F28CA6DC59A9B711E772E94ACB85
                                                  Function 6C703881 Relevance: .2, Instructions: 184COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                  • Instruction ID: 5bd2fc06b563c439ba5558a65db1d383f9ff221a2884efb47785546a743cdd88
                                                  • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                                  • Instruction Fuzzy Hash: 9E5186366166124BC70CDA3CD8619E73392EBDA370B18C73EE59AC79D4EB79940BC600
                                                  Function 6C5E3B66 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                  • Instruction ID: 110ea477453c22a560d1b6633b190c1075038895a6da918b7b87650dcf1f00aa
                                                  • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                                  • Instruction Fuzzy Hash: B0519E76F006099BDB08CE98DD926EDB7F2EF98304F248169D116E7791E774DA41CB40
                                                  Function 6C76B06F Relevance: .2, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                  • Instruction ID: 7175d8267c700fdc08007db22548575103a8bfe199048c1f081112944f9a0067
                                                  • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                                  • Instruction Fuzzy Hash: 2751473550C7068FC314DF6CE9449EA73A2AFC5320F618B3EE495CB8D1EB7551298B46
                                                  Function 6C5E5EC9 Relevance: .1, Instructions: 136COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                  • Instruction ID: 3f5c8e9a52aba8c6d4ce30a0a206e62e0df4c4deb5847fa3159fb6d7e89db140
                                                  • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                                  • Instruction Fuzzy Hash: 0C3114677A440103C70CC93BCC1279FA1575BD822A79EDB796805CAF55D92CC8124144
                                                  Function 6C71CB30 Relevance: .1, Instructions: 118COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 65fd8d5df84e287033a93fd4cf49978dac7d2e320e8774fd0d34053ce36ae67d
                                                  • Instruction ID: 2296b6192d24015813d3fc365348740cab0e695bcfdc3e3b18115feb2acfdf54
                                                  • Opcode Fuzzy Hash: 65fd8d5df84e287033a93fd4cf49978dac7d2e320e8774fd0d34053ce36ae67d
                                                  • Instruction Fuzzy Hash: 7A41AD72A487168FC304DE58EC804FBB3A6EFC8310F904B3DA865971D5D771691AC391
                                                  Function 6C778D12 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                  • Instruction ID: 09568766e496c560fcdc1ae2c9f2215b605fa9b29960ee8126ff53fa9942f0db
                                                  • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                                  • Instruction Fuzzy Hash: C2318831A047128BD728DE39D4440ABB3E3EFC5318B54CB3DC0568B999EBB5601BCB41
                                                  Function 6C66C700 Relevance: .1, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                  • Instruction ID: 3cd20a8667c842ae45cff860f26cbb033866ab61f56cffd283febcaa0eb230dd
                                                  • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                                  • Instruction Fuzzy Hash: 09219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                                  Function 6C5AD456 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 35042ff8a672b96ff0772bd7cbe4d2f4e6afa2f2e8eba45d2de6745819cdf1cc
                                                  • Instruction ID: 07fa9edd3609908376b14274b579fbc3ff7ddd29c3c55a24fb0a2cdfea1a94a5
                                                  • Opcode Fuzzy Hash: 35042ff8a672b96ff0772bd7cbe4d2f4e6afa2f2e8eba45d2de6745819cdf1cc
                                                  • Instruction Fuzzy Hash: 4AF03032A15224DFCB16DA8AC805B8D73B8EB49BA9F118196E9419B651C6B0ED41C7C4
                                                  Function 6C5AD425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                  • Instruction ID: 4d938b33516adbd737e2558bb4cf1e8bd5fc50993297ead9785db9fca0e4456e
                                                  • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                                  • Instruction Fuzzy Hash: AAE04672912228EBCB10DBC9890499AB3ACEB85B44B1100A6B905D3600D2B0EE01CBD0
                                                  Function 6C66A720 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                                  • Instruction ID: bd1fbf77cb6e8ffcb126f22c219b8d9b94185d9248d8d98dd446c40ed447a083
                                                  • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                                  • Instruction Fuzzy Hash: 8FC08CA712810017C302EA2698C0BAAFAB37360330F228C2EA0A2E7E43C328C0648116
                                                  Function 6C601B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                                  • API String ID: 3519838083-609671
                                                  • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                  • Instruction ID: fb90db6ebcc3e617f70551910ad24299720fc4ddde3b571ddb958039ccdae742
                                                  • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                                  • Instruction Fuzzy Hash: F7D1AD31B0420ADFCB09CFA4DA80AEEB7B5FF45308F244519E056B3A50DB70E949CB69
                                                  Function 6C5E9798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv$H_prolog
                                                  • String ID: >WJ$x$x
                                                  • API String ID: 2300968129-3162267903
                                                  • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                  • Instruction ID: 0ba961a899c2415c9027c122e1977005ea8b6ba6d57a46fde31a06afd1481ed8
                                                  • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                                  • Instruction Fuzzy Hash: 0A12767190021AEFCF10DFA9CC80AEDBBB5FF48318F248169E819ABA60D7319D45CB51
                                                  Function 6C59D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _ValidateLocalCookies.LIBCMT ref: 6C59D1F7
                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6C59D1FF
                                                  • _ValidateLocalCookies.LIBCMT ref: 6C59D288
                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6C59D2B3
                                                  • _ValidateLocalCookies.LIBCMT ref: 6C59D308
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                  • String ID: csm
                                                  • API String ID: 1170836740-1018135373
                                                  • Opcode ID: a7d2e75f7f1534e9f85e5b1f535ea85945b175d62ec838d9b906828615aa1b48
                                                  • Instruction ID: afaf0893ea45dda3585eb5141d2b2665a5af688e09d44ff108e7d7f3dacf46ef
                                                  • Opcode Fuzzy Hash: a7d2e75f7f1534e9f85e5b1f535ea85945b175d62ec838d9b906828615aa1b48
                                                  • Instruction Fuzzy Hash: 5D41C534A01259EBCF00CFA9CC80ADE7BB5AF8531CF148195E828ABB55D731DE06CB91
                                                  Function 6C5AA58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: api-ms-$ext-ms-
                                                  • API String ID: 0-537541572
                                                  • Opcode ID: c90b5724b0693c7d81806c65b9d5f15f959d283982b4dfc164c046e3a2cd5c2e
                                                  • Instruction ID: 0d0c6cddeba25be9505866245f266acac7ac40aca159257833b8660d01c1c591
                                                  • Opcode Fuzzy Hash: c90b5724b0693c7d81806c65b9d5f15f959d283982b4dfc164c046e3a2cd5c2e
                                                  • Instruction Fuzzy Hash: 0C21EB71E05611EBDB118AABCC84A5F37B49B167A8F160615E911B7AA0DB30DD03CEE4
                                                  Function 6C5AF5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetConsoleCP.KERNEL32(?,6C5AE7C0,?), ref: 6C5AF5E9
                                                  • __fassign.LIBCMT ref: 6C5AF7C8
                                                  • __fassign.LIBCMT ref: 6C5AF7E5
                                                  • WriteFile.KERNEL32(?,6C5B91A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C5AF82D
                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C5AF86D
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C5AF919
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                                  • String ID:
                                                  • API String ID: 4031098158-0
                                                  • Opcode ID: 423f41db5fbc3df92b9e98cb368aefd753f399d107cc75376702fecab6c7741c
                                                  • Instruction ID: fdb9bd6bc2889205dead6c11903a399f65b63d86c4e3fd049a5dd2ffe1c4e0dd
                                                  • Opcode Fuzzy Hash: 423f41db5fbc3df92b9e98cb368aefd753f399d107cc75376702fecab6c7741c
                                                  • Instruction Fuzzy Hash: 4ED1CB71E012499FCF15CFE9C8809EDBBB5FF49318F28026AE855BB251D730AA06CB54
                                                  Function 6C462F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C462F95
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C462FAF
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C462FD0
                                                  • __Getctype.LIBCPMT ref: 6C463084
                                                  • std::_Facet_Register.LIBCPMT ref: 6C46309C
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C4630B7
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                                  • String ID:
                                                  • API String ID: 1102183713-0
                                                  • Opcode ID: dea522ae623c88ced2fde5a55737ac280f1a5bd04e4325e4bfa51395ed0389f1
                                                  • Instruction ID: 5413b6dc6d69a9fe2b9225432baa54ec774ad0af016ba49360fa932335710079
                                                  • Opcode Fuzzy Hash: dea522ae623c88ced2fde5a55737ac280f1a5bd04e4325e4bfa51395ed0389f1
                                                  • Instruction Fuzzy Hash: E34157B1E00255CFCB14CF86C854F9EB7B0FF44714F044159D859ABB44DB35A908CBA5
                                                  Function 6C5D7FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv$__aullrem
                                                  • String ID:
                                                  • API String ID: 2022606265-0
                                                  • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                  • Instruction ID: 499cd434c7269d6ddff49096a652fb388effafe44ad33b0fdda6d9f8fa9762f7
                                                  • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                                  • Instruction Fuzzy Hash: 5C21E330544369FFDF108E9A8C40DDF7A69FB423A8F208226B52061A90D7719D50D7AA
                                                  Function 6C5DD6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5DD6F1
                                                    • Part of subcall function 6C5EC173: __EH_prolog.LIBCMT ref: 6C5EC178
                                                  • __EH_prolog.LIBCMT ref: 6C5DD8F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: IJ$WIJ$J
                                                  • API String ID: 3519838083-740443243
                                                  • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                  • Instruction ID: 155b8ccd23b9ec1bb9fdbdb52606a09dbd185f8c983a975bbbf0ca213fcd46c1
                                                  • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                                  • Instruction Fuzzy Hash: 9F718D31A00254DFDB14DFA8C840BEDB7B0AF55308F1184ADD856ABB91CB74BA49CFA5
                                                  Function 6C4628E0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 176COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 6C462A76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ___std_exception_destroy
                                                  • String ID: U#Fl$q!Fl$Jbx$Jbx
                                                  • API String ID: 4194217158-105005157
                                                  • Opcode ID: 7d70d533d70b9aabf5dcb606b0adc508996db88e2383a3f35d4f475fd280c9eb
                                                  • Instruction ID: 7455ade945e554776f0cec69e88d1fd170a6385b0a3a0d3b4ebe39d5e9547b78
                                                  • Opcode Fuzzy Hash: 7d70d533d70b9aabf5dcb606b0adc508996db88e2383a3f35d4f475fd280c9eb
                                                  • Instruction Fuzzy Hash: 805104B1A00204DBCB24CF59C884E9EBBB5EFC9304F14856DE8499BB45E731E985CB91
                                                  Function 6C5B90FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 6C5B91CD
                                                  • _free.LIBCMT ref: 6C5B91F6
                                                  • SetEndOfFile.KERNEL32(00000000,6C5B7DDC,00000000,6C5AE7C0,?,?,?,?,?,?,?,6C5B7DDC,6C5AE7C0,00000000), ref: 6C5B9228
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C5B7DDC,6C5AE7C0,00000000,?,?,?,?,00000000,?), ref: 6C5B9244
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: _free$ErrorFileLast
                                                  • String ID: 8Q
                                                  • API String ID: 1547350101-4022487301
                                                  • Opcode ID: 3c8824eb745d33839f8f93c310601cf29d4e11b53cedbd71a2f221c603c401d6
                                                  • Instruction ID: 84bf241e68869eb446b1acd127c6b3ddd00f31d60d637c32a829255e57cb080f
                                                  • Opcode Fuzzy Hash: 3c8824eb745d33839f8f93c310601cf29d4e11b53cedbd71a2f221c603c401d6
                                                  • Instruction Fuzzy Hash: 4241D332900A05EBDB019FBACC54BCE7F75AFA5328F150504E928B7B90EB31DC4A5761
                                                  Function 6C5F1418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5F141D
                                                    • Part of subcall function 6C5F1E40: __EH_prolog.LIBCMT ref: 6C5F1E45
                                                    • Part of subcall function 6C5F18EB: __EH_prolog.LIBCMT ref: 6C5F18F0
                                                    • Part of subcall function 6C5F1593: __EH_prolog.LIBCMT ref: 6C5F1598
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: &qB$0aJ$A0$XqB
                                                  • API String ID: 3519838083-1326096578
                                                  • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                  • Instruction ID: e61c078a2573afbf519a31b33318e5c3c7e210bb4165748c4cc0777574bd86b6
                                                  • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                                  • Instruction Fuzzy Hash: 8221BBB1E01348EACB08DBE4D9819EDBBB5AF95308F20006DD41277781DB785E0DCB66
                                                  Function 6C5F1234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: J$0J$DJ$`J
                                                  • API String ID: 3519838083-2453737217
                                                  • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                  • Instruction ID: 3306250a34fa57fbb2a4ebf6df36cd98a1adeb343992c25f128b67b0da5a0f5b
                                                  • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                                  • Instruction Fuzzy Hash: 8411C5B0900B54CEC724CF5AC85459AFBE4FFA5708B10CA1FC4A687B50C7F8A909CB59
                                                  Function 6C5A281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C5A28A4,00000000,?,6C5A2925,6C59D339,00000003,00000000), ref: 6C5A282F
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C5A2842
                                                  • FreeLibrary.KERNEL32(00000000,?,?,6C5A28A4,00000000,?,6C5A2925,6C59D339,00000003,00000000), ref: 6C5A2865
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 4061214504-1276376045
                                                  • Opcode ID: e905ebc321f16504b1731e8f9c6563dd49594d923a7649055f19111e0fcaa15a
                                                  • Instruction ID: 7723e21906da6ceb0816dc71584785b1bea3b46be85bb13b5a2d96163bc0f743
                                                  • Opcode Fuzzy Hash: e905ebc321f16504b1731e8f9c6563dd49594d923a7649055f19111e0fcaa15a
                                                  • Instruction Fuzzy Hash: 3BF0823061161AFBDF019F92CC1DB9E7F79EB11359F120068B405B2850CF348B01DB94
                                                  Function 6C59AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog3.LIBCMT ref: 6C59AA1E
                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C59AA29
                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C59AA97
                                                    • Part of subcall function 6C59A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C59A938
                                                  • std::locale::_Setgloballocale.LIBCPMT ref: 6C59AA44
                                                  • _Yarn.LIBCPMT ref: 6C59AA5A
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                  • String ID:
                                                  • API String ID: 1088826258-0
                                                  • Opcode ID: 20e6a9fb9ae13ac66314e6978a217b9ff4250e74993d74f37bfdc0add7ad3096
                                                  • Instruction ID: 4b762bd0f3bb01bd67e7e811a810a26e0adfd1070f73b027a4a13cd37b519675
                                                  • Opcode Fuzzy Hash: 20e6a9fb9ae13ac66314e6978a217b9ff4250e74993d74f37bfdc0add7ad3096
                                                  • Instruction Fuzzy Hash: 93015A75B00292DFDB06DF208D90ABD7BB1FBD5248B190088D8115BB80DF34AE06CBA5
                                                  Function 6C619E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $!$@
                                                  • API String ID: 3519838083-2517134481
                                                  • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                  • Instruction ID: 2cb6d3be84b7801d82c8f77ddd5bc93134269b9dc1fb53d403916be39f705f76
                                                  • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                                  • Instruction Fuzzy Hash: ED128D70D09249DFCB04CFA8C590ADDBBB1FF0930AF148069E845ABF52D735A949CB69
                                                  Function 6C5E5B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog__aulldiv
                                                  • String ID: $SJ
                                                  • API String ID: 4125985754-3948962906
                                                  • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                  • Instruction ID: 8c87ce58d046148c409d4d99c8ccb3680d16f1f3d9936c8f5fde4a77d3791c74
                                                  • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                                  • Instruction Fuzzy Hash: 7FB16EB1D00209DFCB14CF95CD909AEBBB5FF48318FA0856ED45AA7B50D730AA45CB94
                                                  Function 6C462020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 6C59AA17: __EH_prolog3.LIBCMT ref: 6C59AA1E
                                                    • Part of subcall function 6C59AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C59AA29
                                                    • Part of subcall function 6C59AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C59AA44
                                                    • Part of subcall function 6C59AA17: _Yarn.LIBCPMT ref: 6C59AA5A
                                                    • Part of subcall function 6C59AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C59AA97
                                                    • Part of subcall function 6C462F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C462F95
                                                    • Part of subcall function 6C462F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C462FAF
                                                    • Part of subcall function 6C462F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C462FD0
                                                    • Part of subcall function 6C462F60: __Getctype.LIBCPMT ref: 6C463084
                                                    • Part of subcall function 6C462F60: std::_Facet_Register.LIBCPMT ref: 6C46309C
                                                    • Part of subcall function 6C462F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C4630B7
                                                  • std::ios_base::_Addstd.LIBCPMT ref: 6C46211B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                  • API String ID: 3332196525-1866435925
                                                  • Opcode ID: d700060b2de8134a46aee5fa326f0cdc8fd7dc9aea34c44200bf227820efe069
                                                  • Instruction ID: 6e7d99161526d2a3ab8802e59d6d68bfc99a4d3d51b40be2df5c4b13bbe53cd2
                                                  • Opcode Fuzzy Hash: d700060b2de8134a46aee5fa326f0cdc8fd7dc9aea34c44200bf227820efe069
                                                  • Instruction Fuzzy Hash: 9841A2B0E003099FDB10CF65C845BEABBB0FF48318F144268E915ABB95EB759985CF91
                                                  Function 6C5E91D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $CK$CK
                                                  • API String ID: 3519838083-2957773085
                                                  • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                  • Instruction ID: 1bb55eda5072f0d510cd5280b9eb1f1ced2fbdcdb5644d4c8542f1b9a5c404b3
                                                  • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                                  • Instruction Fuzzy Hash: 8C219D71E01205CBCF04DFA9C8801EEF7B2BB99314F644A2AC422A7B91D7744A46CAA5
                                                  Function 6C600584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: 0$LrJ$x
                                                  • API String ID: 3519838083-658305261
                                                  • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                                  • Instruction ID: 9930231b816a45a9d5bd32ae6d0f69e5124107410b029b20a04b0b23a089900b
                                                  • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                                  • Instruction Fuzzy Hash: F0213B36E11119DACF05DBD8CA90AEEB7B5EF99308F20006AD411B7640DB756E08CBA6
                                                  Function 6C5F7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5F7ECC
                                                    • Part of subcall function 6C5E258A: __EH_prolog.LIBCMT ref: 6C5E258F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: :hJ$dJ$xJ
                                                  • API String ID: 3519838083-2437443688
                                                  • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                  • Instruction ID: d9408fc91400b66db8620d03217f415ae4ab6f121fc0ea34f0cba989408b5cfd
                                                  • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                                  • Instruction Fuzzy Hash: F121C9B0901B40CFC760CF6AC54428ABBF4BF6A708B00895EC0AA97B11D7B4B509CF59
                                                  Function 6C5AE480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C5AE7C0,6C461DEA,00008000,6C5AE7C0,?,?,?,6C5AE36F,6C5AE7C0,?,00000000,6C461DEA), ref: 6C5AE4B9
                                                  • GetLastError.KERNEL32(?,?,?,6C5AE36F,6C5AE7C0,?,00000000,6C461DEA,?,6C5B7D8E,6C5AE7C0,000000FF,000000FF,00000002,00008000,6C5AE7C0), ref: 6C5AE4C3
                                                  • __dosmaperr.LIBCMT ref: 6C5AE4CA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                  • String ID: 8Q
                                                  • API String ID: 2336955059-4022487301
                                                  • Opcode ID: 35a3431036b8c6717cb5f6b3782722234c4e884cb9236b904ee17491ee603c5b
                                                  • Instruction ID: 9af5c52cfa91560b739eb451d1453f8272f9479ac3c0e4d9308922abdf127bd0
                                                  • Opcode Fuzzy Hash: 35a3431036b8c6717cb5f6b3782722234c4e884cb9236b904ee17491ee603c5b
                                                  • Instruction Fuzzy Hash: ED01D472710515AFCB05DFEBDC4589E3B2DEBC6734B250208E921AB680EAB1DD5287A0
                                                  Function 6C59A1ED Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AcquireSRWLockExclusive.KERNEL32(6C69766C,?,652EF5AA,6C46230E,6C69730C), ref: 6C59A1F7
                                                  • ReleaseSRWLockExclusive.KERNEL32(6C69766C), ref: 6C59A22A
                                                  • WakeAllConditionVariable.KERNEL32(6C697668), ref: 6C59A235
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                  • String ID: lvil
                                                  • API String ID: 1466638765-4042489560
                                                  • Opcode ID: 4519273d9ca30aefa3989d059e23419f2f45b4a382a0c295b7fe7d41059e925a
                                                  • Instruction ID: c893bfa96e19ffe3dc0d717161ff4f90b5e27d5b316f10c172fd5d877754ef88
                                                  • Opcode Fuzzy Hash: 4519273d9ca30aefa3989d059e23419f2f45b4a382a0c295b7fe7d41059e925a
                                                  • Instruction Fuzzy Hash: 54F03974600602DFCB04EF9AD888C947BB8EB4A750F02802EE906C3700CA35AA01CFAC
                                                  Function 6C5EED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: <J$DJ$HJ$TJ$]
                                                  • API String ID: 0-686860805
                                                  • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                  • Instruction ID: dbf35cd004f221772325e45b0a848c8e60f71783055f288024d3dbfc2d7562cd
                                                  • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                                  • Instruction Fuzzy Hash: 1C41B430D1524AEFCF24DFA0DC908EEB770AF59208B20856DD02167A50EB75AA4DCB91
                                                  Function 6C5E9331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv
                                                  • String ID:
                                                  • API String ID: 3732870572-0
                                                  • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                  • Instruction ID: 7d6df9d4b14130f865d57a0396eb755dd8ff119cc6730348612c3fbb95005bde
                                                  • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                                  • Instruction Fuzzy Hash: 79119076204244BFEB218EA5CC80EEFBBBDEBCD748F10842DB18156A90CB71AC04D720
                                                  Function 6C5A80A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(00000008,?,00000000,6C5ABB43), ref: 6C5A80A7
                                                  • _free.LIBCMT ref: 6C5A8104
                                                  • _free.LIBCMT ref: 6C5A813A
                                                  • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C5A8145
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_free
                                                  • String ID:
                                                  • API String ID: 2283115069-0
                                                  • Opcode ID: 1485da0063c3087f7e0b49bdfd409fe928a5a3879c5cae9cedc5eb71214796d3
                                                  • Instruction ID: f5826ab85a9e840704a84414f6f33a1aca95984fb8bc7266e740cd26c33b2bde
                                                  • Opcode Fuzzy Hash: 1485da0063c3087f7e0b49bdfd409fe928a5a3879c5cae9cedc5eb71214796d3
                                                  • Instruction Fuzzy Hash: B2119471304642AA9B515DF79CC495E366AABC22BDB25062AF22492AD0EF258C074626
                                                  Function 6C5B95AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteConsoleW.KERNEL32(00000000,?,6C5B7DDC,00000000,00000000,?,6C5B8241,00000000,00000001,00000000,6C5AE7C0,?,6C5AF976,?,?,6C5AE7C0), ref: 6C5B95C1
                                                  • GetLastError.KERNEL32(?,6C5B8241,00000000,00000001,00000000,6C5AE7C0,?,6C5AF976,?,?,6C5AE7C0,?,6C5AE7C0,?,6C5AF40C,6C5B91A6), ref: 6C5B95CD
                                                    • Part of subcall function 6C5B961E: CloseHandle.KERNEL32(FFFFFFFE,6C5B95DD,?,6C5B8241,00000000,00000001,00000000,6C5AE7C0,?,6C5AF976,?,?,6C5AE7C0,?,6C5AE7C0), ref: 6C5B962E
                                                  • ___initconout.LIBCMT ref: 6C5B95DD
                                                    • Part of subcall function 6C5B95FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C5B959B,6C5B822E,6C5AE7C0,?,6C5AF976,?,?,6C5AE7C0,?), ref: 6C5B9612
                                                  • WriteConsoleW.KERNEL32(00000000,?,6C5B7DDC,00000000,?,6C5B8241,00000000,00000001,00000000,6C5AE7C0,?,6C5AF976,?,?,6C5AE7C0,?), ref: 6C5B95F2
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                  • String ID:
                                                  • API String ID: 2744216297-0
                                                  • Opcode ID: fd3364ba30672cb59ea71b5662ea8640e86a3705cb3ce6cda3b4114a3d9400a5
                                                  • Instruction ID: 990a59b503111bb58b6041a3511b70bcc3eb78f0867b91aa093b39cd8b766dd1
                                                  • Opcode Fuzzy Hash: fd3364ba30672cb59ea71b5662ea8640e86a3705cb3ce6cda3b4114a3d9400a5
                                                  • Instruction Fuzzy Hash: 6CF01C36244619BBCF121F92CC44A893F76FF4A7A1F064014FA09A9A60DA32C960DB95
                                                  Function 6C5D1072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5D1077
                                                    • Part of subcall function 6C5D0FF5: __EH_prolog.LIBCMT ref: 6C5D0FFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: :$\
                                                  • API String ID: 3519838083-1166558509
                                                  • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                  • Instruction ID: 1e3504b91ff046604583d6ed54f40f137ce5849b8780431d5ed5409c11c8f493
                                                  • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                                  • Instruction Fuzzy Hash: 21E1DF30A00309DACB10DFACCC90BEEB7B1AF95328F11451DD856ABA91DB75F949CB19
                                                  Function 6C61D354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog__aullrem
                                                  • String ID: d%K
                                                  • API String ID: 3415659256-3110269457
                                                  • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                                  • Instruction ID: 208bb2de34f669ef9e6259b776182b6651d67cd7c25b7111faa90d9d39fb3685
                                                  • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                                  • Instruction Fuzzy Hash: 4C81C071A042189BDF02CF99C480BDEB7F5AF8534EF248159D818ABE41D771E909CBA9
                                                  Function 6C5A6814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog3_
                                                  • String ID: 8Q
                                                  • API String ID: 2427045233-4022487301
                                                  • Opcode ID: 0ad30c5b9aac363ee540b76bf1b486b0864cd8a3de95745a96bcf51da6234016
                                                  • Instruction ID: dd0bb8ab881c52ecf91a6837f1dce899fff3e61dea32313789558e867df48edc
                                                  • Opcode Fuzzy Hash: 0ad30c5b9aac363ee540b76bf1b486b0864cd8a3de95745a96bcf51da6234016
                                                  • Instruction Fuzzy Hash: AE71A075945316DBDB118BDBCC80BEE7AB9EF45318F248229E820A7A80DF758947C760
                                                  Function 6C5F6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$hfJ
                                                  • API String ID: 3519838083-1391159562
                                                  • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                  • Instruction ID: fcf503c84e8bb1bf0b35356117e3ba0d805bdbab129e0e8f3d5a9bf304efe7dd
                                                  • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                                  • Instruction Fuzzy Hash: E2913671910348EFCB14DFA9C8909DEBBB4FF18308F54451EE566E7A90DB70AA49CB21
                                                  Function 6C5EBC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C5EBC5D
                                                    • Part of subcall function 6C5EA61A: __EH_prolog.LIBCMT ref: 6C5EA61F
                                                    • Part of subcall function 6C5EAA2E: __EH_prolog.LIBCMT ref: 6C5EAA33
                                                    • Part of subcall function 6C5EBEA5: __EH_prolog.LIBCMT ref: 6C5EBEAA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: WZJ
                                                  • API String ID: 3519838083-1089469559
                                                  • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                  • Instruction ID: d6e0145a9d208850e8df1a9d9fe3a6bcfa2f3bf16e4ca46830c5a61db828ba0a
                                                  • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                                  • Instruction Fuzzy Hash: 40815B31D00258DFCF15EFE8D990ADDBBB4AF59308F10409AE51667790DB30AE49CBA5
                                                  Function 6C5F2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: <dJ$Q
                                                  • API String ID: 3519838083-2252229148
                                                  • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                  • Instruction ID: a81b9d339380f5e2a7e805b3950553c0c8ab91000bce40e7101f58dc98a79685
                                                  • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                                  • Instruction Fuzzy Hash: 46515971A04249EBDF04DFA8CC808EDB7B5BF89318F10856EE525AB650D7319A4ACF12
                                                  Function 6C5EE9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $D^J
                                                  • API String ID: 3519838083-3977321784
                                                  • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                  • Instruction ID: 4dbb9e47d43fe2ef2a01541c68515d9f4d06400dd65ac15fc7b2092eaad35e0d
                                                  • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                                  • Instruction Fuzzy Hash: 84412931A245B09ED722AB688C547E9BBA5EF5F208F14815CC49247E81DBE45D8AC3D1
                                                  Function 6C5B05EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C5B7DC6), ref: 6C5B070B
                                                  • __dosmaperr.LIBCMT ref: 6C5B0712
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast__dosmaperr
                                                  • String ID: 8Q
                                                  • API String ID: 1659562826-4022487301
                                                  • Opcode ID: 7496562cc2ab32d861ff6bb34346a3643577d9642a3b9583fe3787b7d7e5c4a7
                                                  • Instruction ID: ecd61551c0d4018bd5992dd9a0f7de713d7819451854f610468da1cffd3f2bc1
                                                  • Opcode Fuzzy Hash: 7496562cc2ab32d861ff6bb34346a3643577d9642a3b9583fe3787b7d7e5c4a7
                                                  • Instruction Fuzzy Hash: E14199F06042D6AFDB11CF59CDA0AAC7FE5EBC6358F14425AE880AB641E3319C168BD0
                                                  Function 6C4626E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: _strlen
                                                  • String ID: U#Fl$q!Fl
                                                  • API String ID: 4218353326-3451018586
                                                  • Opcode ID: 921eb05b76f56a1e61f4d4ed5157d87a951ef01bfbc572a4dfd133949b44ccb3
                                                  • Instruction ID: bff40019bf5e2103490c32c6cf166ecad6244c88e7d35cc5e158de79f2e5dff9
                                                  • Opcode Fuzzy Hash: 921eb05b76f56a1e61f4d4ed5157d87a951ef01bfbc572a4dfd133949b44ccb3
                                                  • Instruction Fuzzy Hash: C441B2B2D00259ABCB10DFA5DC84EDEBBB5FF88354F150229E805A7B40E7319948CBE1
                                                  Function 6C60812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: X&L$p|J
                                                  • API String ID: 3519838083-2944591232
                                                  • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                  • Instruction ID: d05bcf24385766a2cb2f16a6e636cdd89c6157186981422e05a7c76d9f74cd71
                                                  • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                                  • Instruction Fuzzy Hash: D5315C31789505CBDB08DB98DF01BE97770EF5A328F20016BD410B6EB3CB6199868A9D
                                                  Function 6C607C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: 0|J$`)L
                                                  • API String ID: 3519838083-117937767
                                                  • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                  • Instruction ID: b9837cec0953200819a076f4d482bbe5e9f041cf5d15581372de83fe7307c285
                                                  • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                                  • Instruction Fuzzy Hash: 4541A231701785DFCB159FA4C9907EABBE2FF85308F00442EE45AA7B50CB756904DB96
                                                  Function 6C60ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv
                                                  • String ID: 3333
                                                  • API String ID: 3732870572-2924271548
                                                  • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                  • Instruction ID: 5a5a31b06abb51e172e6604381d66a8b85f8605b859ede793a9c2013839c4984
                                                  • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                                  • Instruction Fuzzy Hash: 4721B7B0A447046FD724CFBA8880B5BFAFCEB85755F10891EA186E7B41D770A904C76D
                                                  Function 6C603906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$LuJ
                                                  • API String ID: 3519838083-205571748
                                                  • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                  • Instruction ID: 57e699d304b19b3435ca64e3c4454fc6e788081b40c8589e3061c72ffc93de55
                                                  • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                                  • Instruction Fuzzy Hash: A5016D72E01709DACB14DFA9C9809AEF7B4EF59708F40842EE569F3A41D3749904CB99
                                                  Function 6C5DF0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: @$xMJ
                                                  • API String ID: 3519838083-951924499
                                                  • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                  • Instruction ID: cae5fc2e3d2f6d2009b48befa4ee6ad4dfeca86107e2b81d203818fc3260e0ec
                                                  • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                                  • Instruction Fuzzy Hash: 20117C71E01309DBCB00CFE9C89059EB7B4FF59308B91C96ED429E7A00D334AA05CB99
                                                  Function 6C5B1418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _free.LIBCMT ref: 6C5B1439
                                                  • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C5ADD2A,?,00000004,?,4B42FCB6,?,?,6C5A2E7C,4B42FCB6,?), ref: 6C5B1475
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: AllocHeap_free
                                                  • String ID: 8Q
                                                  • API String ID: 1080816511-4022487301
                                                  • Opcode ID: b62a095ab92a7b04c20329a93226c8a8c58c06aecac4adaffdbfea0afea87c5b
                                                  • Instruction ID: c8c391f843fda666ea7af66ec18784132d2133d7805e6cd444be4a86e0a7d6b4
                                                  • Opcode Fuzzy Hash: b62a095ab92a7b04c20329a93226c8a8c58c06aecac4adaffdbfea0afea87c5b
                                                  • Instruction Fuzzy Hash: D9F04632201511E6DB505EB79C20B8FBF289FC3BB8F118129E815B6E80EF70C80680A1
                                                  Function 6C602741 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 6C602746
                                                    • Part of subcall function 6C6027BF: __EH_prolog.LIBCMT ref: 6C6027C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: ur`l$sJ
                                                  • API String ID: 3519838083-2641882569
                                                  • Opcode ID: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                                  • Instruction ID: 2b664d55601f67fd87510e1a30969c6a0702cc57be8a592f080e812ab7708697
                                                  • Opcode Fuzzy Hash: 479f86800d12ad63e1b8ae242903cd26d6f9166e8cc8054c33d6365a60c3e9bf
                                                  • Instruction Fuzzy Hash: F201A231B00014EBCB05BBA4CD50AEDBB75EFC5718F00801AE441A2B90CF78595ACFDA
                                                  Function 6C606431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prologctype
                                                  • String ID: |zJ
                                                  • API String ID: 3037903784-3782439380
                                                  • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                  • Instruction ID: ebe9bdcfe2e16ba52cffabbb199664bceca2955455ac7b58eb2be72f40920d27
                                                  • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                                  • Instruction Fuzzy Hash: 03E0E5327011209BE718CF48C9007DDF3A4FF55718F10801F9812F3A40CBF0E840868A
                                                  Function 6C5FD143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: H_prologctype
                                                  • String ID: <oJ
                                                  • API String ID: 3037903784-2791053824
                                                  • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                  • Instruction ID: eb6c664808aae777b1ad10d77d2f1123426b5ee984d8ec035cc388056de6407c
                                                  • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                                  • Instruction Fuzzy Hash: 3AE0ED72A011209BDB08EF48C810BDEF7A8EF42728F11001EA021A3B51CBB1A801CA89
                                                  Function 6C59A19E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AcquireSRWLockExclusive.KERNEL32(6C69766C,?,?,652EF5AA,6C4622D8,6C69730C), ref: 6C59A1A9
                                                  • ReleaseSRWLockExclusive.KERNEL32(6C69766C), ref: 6C59A1E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1837720335.000000006C411000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C410000, based on PE: true
                                                  • Associated: 00000005.00000002.1837699068.000000006C410000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838796873.000000006C5BB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1840146482.000000006C787000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID: ExclusiveLock$AcquireRelease
                                                  • String ID: lvil
                                                  • API String ID: 17069307-4042489560
                                                  • Opcode ID: 95496f482cd4ba740612f68c2945d08d00860050fd823c16df2b198b7a603507
                                                  • Instruction ID: bd872caad93ff7d48b4056ebe5905d805b30ff69c80ddaa311bd15bfab18a974
                                                  • Opcode Fuzzy Hash: 95496f482cd4ba740612f68c2945d08d00860050fd823c16df2b198b7a603507
                                                  • Instruction Fuzzy Hash: F8F0A734A40541CBCB109F19CC44E65B7B8EB87774F15426DE86543B80C7351942DA79
                                                  Function 6C6324AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: @ K$DJ$T)K$X/K
                                                  • API String ID: 0-3815299647
                                                  • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                                  • Instruction ID: d953c99be160a9f553e9a987d6e4d49f0d2b6086114f382b801cee8d1eeedb80
                                                  • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                                  • Instruction Fuzzy Hash: 819190346043159BCB04DF64C8587EA73B2BF8230CF10B41DC86A5BB82DB75A959C7EA
                                                  Function 6C627E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000005.00000002.1838852851.000000006C5CB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C5CB000, based on PE: true
                                                  • Associated: 00000005.00000002.1839484151.000000006C696000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                  • Associated: 00000005.00000002.1839510409.000000006C69C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_5_2_6c410000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: D)K$H)K$P)K$T)K
                                                  • API String ID: 0-2262112463
                                                  • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                                  • Instruction ID: 9e24a986ea7c02c17ab25de575e58a46e93729bce6167b68ed9116e9aa72d1b8
                                                  • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                                  • Instruction Fuzzy Hash: 5F518E31A08209DBCF10DFD4DC40ADEB7B1EF9531CF10445AE85167A90DB79AD49CBAA

                                                  Execution Graph

                                                  Execution Coverage:4%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0.4%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:61
                                                  execution_graph 73241 e07da0 WaitForSingleObject 73242 e07dc1 73241->73242 73243 e07dbb GetLastError 73241->73243 73244 e07dce CloseHandle 73242->73244 73245 e07ddf 73242->73245 73243->73242 73244->73245 73246 e07dd9 GetLastError 73244->73246 73246->73245 73247 d742d1 73248 d742bd 73247->73248 73249 d742c5 73248->73249 73251 d71e0c 73248->73251 73252 d71e15 73251->73252 73253 d71e1c malloc 73251->73253 73252->73253 73254 d71e3e 73253->73254 73255 d71e2a _CxxThrowException 73253->73255 73254->73249 73255->73254 73256 d81ade 73257 d81ae8 __EH_prolog 73256->73257 73307 d713f5 73257->73307 73260 d81b32 6 API calls 73262 d81b8d 73260->73262 73268 d81bf8 73262->73268 73325 d81ea4 9 API calls 73262->73325 73263 d81b24 _CxxThrowException 73263->73260 73265 d81bdf 73326 d727bb 73265->73326 73270 d81c89 73268->73270 73333 d91d73 5 API calls __EH_prolog 73268->73333 73321 d81eb9 73270->73321 73275 d81cb2 _CxxThrowException 73275->73270 73308 d713ff __EH_prolog 73307->73308 73334 d97ebb 73308->73334 73311 d71438 73313 d71e0c ctype 2 API calls 73311->73313 73316 d7144d 73313->73316 73314 d714f4 73314->73260 73324 d91d73 5 API calls __EH_prolog 73314->73324 73316->73314 73319 d71507 73316->73319 73339 d71265 5 API calls 2 library calls 73316->73339 73340 db04d2 73316->73340 73346 d71524 malloc _CxxThrowException __EH_prolog ctype 73316->73346 73347 d72fec 73319->73347 73355 d79313 GetCurrentProcess OpenProcessToken 73321->73355 73324->73263 73325->73265 73327 d727c7 73326->73327 73331 d727e3 73326->73331 73328 d71e0c ctype 2 API calls 73327->73328 73327->73331 73329 d727da 73328->73329 73362 d71e40 free 73329->73362 73332 d71e40 free 73331->73332 73332->73268 73333->73275 73335 d97ec6 73334->73335 73336 d7142b 73334->73336 73335->73336 73337 d71e40 free ctype 73335->73337 73336->73311 73338 d71212 free ctype 73336->73338 73337->73335 73338->73311 73339->73316 73341 db04df 73340->73341 73342 db0513 73340->73342 73343 db04e8 _CxxThrowException 73341->73343 73344 db04fd 73341->73344 73342->73316 73343->73344 73353 db0551 malloc _CxxThrowException free memcpy ctype 73344->73353 73346->73316 73348 d72ffc 73347->73348 73349 d72ff8 73347->73349 73348->73349 73350 d71e0c ctype 2 API calls 73348->73350 73349->73314 73351 d73010 73350->73351 73354 d71e40 free 73351->73354 73353->73342 73354->73349 73356 d79390 73355->73356 73357 d7933a LookupPrivilegeValueW 73355->73357 73358 d79382 73357->73358 73359 d7934c AdjustTokenPrivileges 73357->73359 73361 d79385 CloseHandle 73358->73361 73359->73358 73360 d79372 GetLastError 73359->73360 73360->73361 73361->73356 73362->73331 73363 d8459e 73364 d845ab 73363->73364 73368 d845bc 73363->73368 73364->73368 73369 d845c3 73364->73369 73370 d845cd __EH_prolog 73369->73370 73398 d879b2 free ctype 73370->73398 73372 d845e8 73399 d71e40 free 73372->73399 73374 d845f3 73400 da2db9 free ctype 73374->73400 73376 d84609 73401 d71e40 free 73376->73401 73378 d84610 73402 d71e40 free 73378->73402 73380 d8461b 73403 d71e40 free 73380->73403 73382 d84626 73404 d8794c free ctype 73382->73404 73384 d84638 73405 da2db9 free ctype 73384->73405 73386 d8465b 73406 d71e40 free 73386->73406 73388 d8468e 73407 d71e40 free 73388->73407 73390 d846ae 73408 d84733 free __EH_prolog ctype 73390->73408 73392 d846be 73409 d71e40 free 73392->73409 73394 d846e8 73410 d71e40 free 73394->73410 73396 d845b6 73397 d71e40 free 73396->73397 73397->73368 73398->73372 73399->73374 73400->73376 73401->73378 73402->73380 73403->73382 73404->73384 73405->73386 73406->73388 73407->73390 73408->73392 73409->73394 73410->73396 73411 daacd3 73412 daace0 73411->73412 73416 daacf1 73411->73416 73412->73416 73417 daacf8 73412->73417 73418 dac0b3 __EH_prolog 73417->73418 73419 dac0ed 73418->73419 73425 d97193 73418->73425 73433 d71e40 free 73418->73433 73434 d71e40 free 73419->73434 73421 daaceb 73424 d71e40 free 73421->73424 73424->73416 73426 d9719d __EH_prolog 73425->73426 73435 da2db9 free ctype 73426->73435 73428 d971b3 73436 d971d5 free __EH_prolog ctype 73428->73436 73430 d971bf 73437 d71e40 free 73430->73437 73432 d971c7 73432->73418 73433->73418 73434->73421 73435->73428 73436->73430 73437->73432 73438 d7b5d9 73439 d7b5e6 73438->73439 73443 d7b5f7 73438->73443 73439->73443 73444 d7b5fe 73439->73444 73445 d7b608 __EH_prolog 73444->73445 73451 df6a40 VirtualFree 73445->73451 73447 d7b63d 73452 d7764c 73447->73452 73450 d71e40 free 73450->73443 73451->73447 73453 d77656 CloseHandle 73452->73453 73454 d77661 73452->73454 73453->73454 73454->73450 73455 def190 73456 d71e0c ctype 2 API calls 73455->73456 73457 def1b0 73456->73457 73458 df69d0 73459 df69d7 malloc 73458->73459 73460 df69d4 73458->73460 73462 e0ffb1 __setusermatherr 73463 e0ffbd 73462->73463 73468 e10068 _controlfp 73463->73468 73465 e0ffc2 _initterm __getmainargs _initterm __p___initenv 73466 dac27c 73465->73466 73467 e1001d exit _XcptFilter 73466->73467 73468->73465 73469 d9d948 73499 d9dac7 73469->73499 73471 d9d94f 73507 d72e04 73471->73507 73474 d72e04 2 API calls 73475 d9d987 73474->73475 73479 d9d9e7 73475->73479 73510 d76404 73475->73510 73480 d9da0f 73479->73480 73497 d9da36 73479->73497 73535 d71e40 free 73480->73535 73483 d9d9bf 73533 d71e40 free 73483->73533 73484 d9da94 73542 d71e40 free 73484->73542 73485 d9da17 73536 d71e40 free 73485->73536 73489 d9d9c7 73534 d71e40 free 73489->73534 73490 d9da9c 73543 d71e40 free 73490->73543 73494 d9d9cf 73495 db04d2 5 API calls 73495->73497 73497->73484 73497->73495 73537 d72da9 73497->73537 73540 d71524 malloc _CxxThrowException __EH_prolog ctype 73497->73540 73541 d71e40 free 73497->73541 73500 d9dad1 __EH_prolog 73499->73500 73501 d72e04 2 API calls 73500->73501 73502 d9db33 73501->73502 73503 d72e04 2 API calls 73502->73503 73504 d9db3f 73503->73504 73505 d72e04 2 API calls 73504->73505 73506 d9db55 73505->73506 73506->73471 73508 d71e0c ctype 2 API calls 73507->73508 73509 d72e11 73508->73509 73509->73474 73544 d7631f 73510->73544 73513 d76423 73548 d72f88 73513->73548 73514 d72f88 3 API calls 73514->73513 73517 d87e5a 73518 d87e64 __EH_prolog 73517->73518 73614 d88179 73518->73614 73521 d97ebb free 73522 d87e7f 73521->73522 73523 d72fec 3 API calls 73522->73523 73524 d87e9a 73523->73524 73525 d72da9 2 API calls 73524->73525 73526 d87ea7 73525->73526 73619 d76c72 73526->73619 73530 d87ecb 73531 d87ed8 73530->73531 73721 d7757d GetLastError 73530->73721 73531->73479 73531->73483 73533->73489 73534->73494 73535->73485 73536->73494 73893 d72d4d 73537->73893 73539 d72dc6 73539->73497 73540->73497 73541->73497 73542->73490 73543->73494 73545 d79245 73544->73545 73554 d790da 73545->73554 73549 d72f9a 73548->73549 73549->73549 73550 d72fbe 73549->73550 73551 d71e0c ctype 2 API calls 73549->73551 73550->73517 73552 d72fb4 73551->73552 73613 d71e40 free 73552->73613 73555 d790e4 __EH_prolog 73554->73555 73556 d72f88 3 API calls 73555->73556 73557 d790f7 73556->73557 73558 d7915d 73557->73558 73565 d79109 73557->73565 73559 d72e04 2 API calls 73558->73559 73560 d79165 73559->73560 73561 d791be 73560->73561 73562 d79174 73560->73562 73604 d76332 6 API calls 2 library calls 73561->73604 73567 d72f88 3 API calls 73562->73567 73564 d76414 73564->73513 73564->73514 73565->73564 73595 d72e47 73565->73595 73568 d7917d 73567->73568 73569 d791ca 73568->73569 73602 d7859e malloc _CxxThrowException free _CxxThrowException 73568->73602 73609 d71e40 free 73569->73609 73573 d7912e 73576 d7914d 73573->73576 73600 d731e5 malloc _CxxThrowException free _CxxThrowException 73573->73600 73575 d79185 73579 d72e04 2 API calls 73575->73579 73601 d71e40 free 73576->73601 73580 d79197 73579->73580 73581 d7919f 73580->73581 73582 d791ce 73580->73582 73584 d791b9 73581->73584 73603 d71089 malloc _CxxThrowException free _CxxThrowException 73581->73603 73583 d72f88 3 API calls 73582->73583 73583->73584 73605 d73199 malloc _CxxThrowException free _CxxThrowException 73584->73605 73587 d791e6 73606 d78f57 memmove 73587->73606 73589 d791ee 73591 d72fec 3 API calls 73589->73591 73594 d791f2 73589->73594 73592 d79212 73591->73592 73607 d731e5 malloc _CxxThrowException free _CxxThrowException 73592->73607 73608 d71e40 free 73594->73608 73596 d72e57 73595->73596 73610 d72ba6 73596->73610 73599 d78f57 memmove 73599->73573 73600->73576 73601->73564 73602->73575 73603->73584 73604->73568 73605->73587 73606->73589 73607->73594 73608->73569 73609->73564 73611 d71e0c ctype 2 API calls 73610->73611 73612 d72bbb 73611->73612 73612->73599 73613->73550 73616 d88906 73614->73616 73615 d87e77 73615->73521 73616->73615 73722 d88804 free ctype 73616->73722 73723 d71e40 free 73616->73723 73621 d76c7c __EH_prolog 73619->73621 73620 d76cd3 73623 d76ce2 73620->73623 73625 d76d87 73620->73625 73621->73620 73622 d76cb7 73621->73622 73624 d72f88 3 API calls 73622->73624 73627 d72f88 3 API calls 73623->73627 73626 d76cc7 73624->73626 73628 d72e47 2 API calls 73625->73628 73635 d76f4a 73625->73635 73720 d71e40 free 73626->73720 73630 d76cf5 73627->73630 73629 d76db0 73628->73629 73632 d72e47 2 API calls 73629->73632 73631 d76d4a 73630->73631 73633 d76d0b 73630->73633 73741 d77b41 28 API calls 73631->73741 73646 d76dc0 73632->73646 73740 d79252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73633->73740 73636 d76fd1 73635->73636 73639 d76f7e 73635->73639 73641 d770e5 73636->73641 73643 d76fed 73636->73643 73662 d7701d 73636->73662 73638 d76d5f 73647 d7764c CloseHandle 73638->73647 73759 d76bf5 11 API calls 2 library calls 73639->73759 73640 d76d36 73640->73631 73645 d76d3a 73640->73645 73724 d76868 73641->73724 73761 d76bf5 11 API calls 2 library calls 73643->73761 73645->73626 73654 d76dfe 73646->73654 73742 d73221 malloc _CxxThrowException free _CxxThrowException 73646->73742 73647->73626 73649 d76f85 73649->73641 73651 d76f99 73649->73651 73661 d72f88 3 API calls 73651->73661 73652 d76fca 73656 d76848 FindClose 73652->73656 73653 d76e43 73657 d76c72 42 API calls 73653->73657 73654->73653 73668 d76e1e 73654->73668 73655 d77006 73655->73652 73656->73626 73659 d76e4e 73657->73659 73663 d76e41 73659->73663 73664 d76f3a 73659->73664 73665 d76fb0 73661->73665 73662->73641 73762 d7717b 13 API calls 73662->73762 73743 d72f1c 73663->73743 73757 d71e40 free 73664->73757 73760 d7717b 13 API calls 73665->73760 73668->73663 73672 d72fec 3 API calls 73668->73672 73669 d77052 73674 d77056 73669->73674 73675 d77064 73669->73675 73671 d76f42 73758 d71e40 free 73671->73758 73672->73663 73678 d72f88 3 API calls 73674->73678 73680 d72e47 2 API calls 73675->73680 73716 d7705f 73678->73716 73679 d72e04 2 API calls 73686 d76e83 73679->73686 73681 d7706d 73680->73681 73763 d71089 malloc _CxxThrowException free _CxxThrowException 73681->73763 73684 d76848 FindClose 73684->73626 73685 d7707b 73764 d71089 malloc _CxxThrowException free _CxxThrowException 73685->73764 73688 d76ec7 SetLastError 73686->73688 73702 d76ed3 73686->73702 73706 d72e04 2 API calls 73686->73706 73708 d76ecf 73686->73708 73746 d76bb5 17 API calls 73686->73746 73747 d722bf CharUpperW 73686->73747 73748 d71e40 free 73686->73748 73688->73708 73689 d77085 73692 d76868 12 API calls 73689->73692 73694 d77095 73692->73694 73693 d76f11 73751 d71e40 free 73693->73751 73696 d770bb 73694->73696 73697 d77099 wcscmp 73694->73697 73765 d76bf5 11 API calls 2 library calls 73696->73765 73697->73696 73698 d770b1 73697->73698 73709 d72f88 3 API calls 73698->73709 73700 d76f19 73752 d76848 73700->73752 73749 d731e5 malloc _CxxThrowException free _CxxThrowException 73702->73749 73706->73686 73707 d770c6 73711 d770d8 73707->73711 73719 d77129 73707->73719 73750 d71e40 free 73708->73750 73712 d7714c 73709->73712 73766 d71e40 free 73711->73766 73768 d71e40 free 73712->73768 73713 d76f2b 73716->73684 73718 d76ff2 73718->73641 73718->73655 73719->73698 73720->73530 73721->73531 73722->73616 73723->73616 73725 d76872 __EH_prolog 73724->73725 73726 d76848 FindClose 73725->73726 73727 d76880 73726->73727 73728 d7689b FindFirstFileW 73727->73728 73729 d768a9 73727->73729 73733 d768f6 73727->73733 73728->73729 73730 d768ee 73729->73730 73732 d72e04 2 API calls 73729->73732 73730->73733 73775 d76919 malloc _CxxThrowException free 73730->73775 73734 d768ba 73732->73734 73733->73652 73767 d7717b 13 API calls 73733->73767 73769 d78b4a 73734->73769 73736 d768d0 73737 d768d4 FindFirstFileW 73736->73737 73738 d768e2 73736->73738 73737->73738 73774 d71e40 free 73738->73774 73740->73640 73741->73638 73742->73654 73744 d72ba6 2 API calls 73743->73744 73745 d72f2c 73744->73745 73745->73679 73746->73686 73747->73686 73748->73686 73749->73708 73750->73693 73751->73700 73753 d76852 FindClose 73752->73753 73754 d7685d 73752->73754 73753->73754 73755 d71e40 free 73754->73755 73755->73713 73757->73671 73758->73635 73759->73649 73760->73652 73761->73718 73762->73669 73763->73685 73764->73689 73765->73707 73766->73718 73767->73652 73768->73716 73776 d78b80 73769->73776 73772 d78b6e 73772->73736 73773 d72f88 3 API calls 73773->73772 73774->73730 73775->73733 73777 d78b8a __EH_prolog 73776->73777 73778 d78c7b 73777->73778 73784 d78be1 73777->73784 73836 d78b55 73777->73836 73779 d78d23 73778->73779 73780 d78c8f 73778->73780 73781 d78e8a 73779->73781 73783 d78d3b 73779->73783 73780->73783 73787 d78c9e 73780->73787 73782 d72e47 2 API calls 73781->73782 73785 d78e96 73782->73785 73786 d72e04 2 API calls 73783->73786 73788 d72e47 2 API calls 73784->73788 73784->73836 73793 d72e47 2 API calls 73785->73793 73789 d78d43 73786->73789 73790 d72e47 2 API calls 73787->73790 73791 d78c05 73788->73791 73873 d76332 6 API calls 2 library calls 73789->73873 73802 d78ca7 73790->73802 73797 d78c17 73791->73797 73798 d78c24 73791->73798 73795 d78eb8 73793->73795 73794 d78d52 73856 d78d56 73794->73856 73874 d7859e malloc _CxxThrowException free _CxxThrowException 73794->73874 73885 d78f57 memmove 73795->73885 73863 d71e40 free 73797->73863 73800 d72e47 2 API calls 73798->73800 73807 d78c35 73800->73807 73808 d72e47 2 API calls 73802->73808 73864 d78f57 memmove 73807->73864 73812 d78cd0 73808->73812 73868 d78f57 memmove 73812->73868 73819 d78c41 73836->73772 73836->73773 73863->73836 73864->73819 73873->73794 73894 d72ba6 2 API calls 73893->73894 73895 d72d68 73894->73895 73895->73539 73895->73895 73896 d7b144 73897 d7b153 73896->73897 73899 d7b159 73896->73899 73900 d811b4 73897->73900 73901 d811c1 73900->73901 73902 d811eb 73901->73902 73905 dbaf27 73901->73905 73912 dbae7c 73901->73912 73902->73899 73906 dbaf36 73905->73906 73909 dbb010 73906->73909 73910 dbaeeb 107 API calls 73906->73910 73917 d7bd0c 73906->73917 73922 dbad3a 73906->73922 73926 dbaebf 107 API calls 73906->73926 73909->73901 73910->73906 73913 dbae86 73912->73913 73915 d87140 7 API calls 73913->73915 74459 d87190 73913->74459 73914 dbaebb 73914->73901 73915->73914 73927 d77ca2 73917->73927 73920 d7bd3d 73920->73906 73923 dbad44 __EH_prolog 73922->73923 73935 d86305 73923->73935 73924 dbadbf 73924->73906 73926->73906 73929 d77caf 73927->73929 73930 d77cdb 73929->73930 73932 d77c68 73929->73932 73930->73920 73931 d7b8ec GetLastError 73930->73931 73931->73920 73933 d77c76 73932->73933 73934 d77c79 WriteFile 73932->73934 73933->73934 73934->73929 73936 d8630f __EH_prolog 73935->73936 73972 d862b9 73936->73972 73939 d86427 73941 d7965d VariantClear 73939->73941 73940 d8644a 73976 d7965d 73940->73976 73965 d86445 73941->73965 73951 d865de 73953 d8669e 73951->73953 73954 d865e7 73951->73954 73952 d864da 73952->73951 73952->73965 74141 d8789c free memmove ctype 73952->74141 73959 d866b8 73953->73959 73960 d86754 73953->73960 73953->73965 73957 d71e0c ctype 2 API calls 73954->73957 73958 d865f6 73954->73958 73957->73958 74142 d936ea 73958->74142 73963 d71e0c ctype 2 API calls 73959->73963 74029 d85bea 73960->74029 73962 d8666b 74155 d71e40 free 73962->74155 73963->73965 73964 d864ca 73964->73952 73964->73965 74140 d742e3 CharUpperW 73964->74140 73965->73924 73966 d8665c 74154 d731e5 malloc _CxxThrowException free _CxxThrowException 73966->74154 73973 d862c9 73972->73973 74156 d98fa4 73973->74156 73977 d79685 73976->73977 73979 d79665 73976->73979 73980 d85126 73977->73980 73978 d7967e VariantClear 73978->73977 73979->73977 73979->73978 73981 d85130 __EH_prolog 73980->73981 73982 d851b4 73981->73982 73988 d8518e 73981->73988 74200 d73097 malloc _CxxThrowException free SysStringLen ctype 73981->74200 73984 d7965d VariantClear 73982->73984 73982->73988 73986 d851bc 73984->73986 73985 d7965d VariantClear 73987 d8527f 73985->73987 73986->73988 73989 d85289 73986->73989 73990 d85206 73986->73990 73987->73965 74022 d98b05 73987->74022 73988->73985 73989->73988 73991 d85221 73989->73991 74201 d73097 malloc _CxxThrowException free SysStringLen ctype 73990->74201 73993 d7965d VariantClear 73991->73993 73994 d8522d 73993->73994 73994->73987 73995 d85351 73994->73995 74202 d85459 malloc _CxxThrowException __EH_prolog 73994->74202 73995->73987 74001 d853a1 73995->74001 74207 d735e7 memmove 73995->74207 73998 d852ba 74203 d78011 5 API calls ctype 73998->74203 74000 d852cf 74013 d852fd 74000->74013 74204 d7823d 10 API calls 2 library calls 74000->74204 74001->73987 74208 d743b7 5 API calls 2 library calls 74001->74208 74005 d852e5 74006 d72fec 3 API calls 74005->74006 74008 d852f5 74006->74008 74007 d8540e 74210 d8789c free memmove ctype 74007->74210 74205 d71e40 free 74008->74205 74012 d853df 74012->74007 74014 d8541c 74012->74014 74209 d742e3 CharUpperW 74012->74209 74206 d854a0 free ctype 74013->74206 74015 d936ea 5 API calls 74014->74015 74016 d85427 74015->74016 74017 d72fec 3 API calls 74016->74017 74018 d85433 74017->74018 74211 d71e40 free 74018->74211 74020 d8543b 74212 da2db9 free ctype 74020->74212 74023 d98b2e 74022->74023 74024 d7965d VariantClear 74023->74024 74025 d8648a 74024->74025 74025->73965 74026 d84d78 74025->74026 74213 d99262 74026->74213 74030 d85bf4 __EH_prolog 74029->74030 74220 d854c0 74030->74220 74033 d98b05 VariantClear 74034 d85c34 74033->74034 74079 d85e17 74034->74079 74235 d85630 74034->74235 74037 d936ea 5 API calls 74038 d85c51 74037->74038 74039 d85c60 74038->74039 74340 d857c1 53 API calls 2 library calls 74038->74340 74041 d72f1c 2 API calls 74039->74041 74042 d85c6c 74041->74042 74046 d85caa 74042->74046 74341 d86217 4 API calls 2 library calls 74042->74341 74044 d85c91 74045 d72fec 3 API calls 74044->74045 74051 d72e04 2 API calls 74046->74051 74070 d85d49 74046->74070 74049 d85d91 74050 d85d55 74061 d85cd2 74051->74061 74070->74049 74070->74050 74079->73965 74139 d85110 9 API calls 74139->73964 74140->73964 74141->73951 74143 d936f4 __EH_prolog 74142->74143 74144 d72e04 2 API calls 74143->74144 74150 d9370a 74144->74150 74145 d93736 74146 d72f1c 2 API calls 74145->74146 74149 d93742 74146->74149 74456 d71e40 free 74149->74456 74150->74145 74457 d71089 malloc _CxxThrowException free _CxxThrowException 74150->74457 74458 d731e5 malloc _CxxThrowException free _CxxThrowException 74150->74458 74152 d86633 74152->73962 74152->73966 74153 d71089 malloc _CxxThrowException free _CxxThrowException 74152->74153 74153->73966 74154->73962 74155->73965 74157 d98fae __EH_prolog 74156->74157 74158 d97ebb free 74157->74158 74159 d98ff2 74158->74159 74190 d98b64 74159->74190 74163 d99020 74164 d72fec 3 API calls 74163->74164 74189 d86302 74163->74189 74165 d9903a 74164->74165 74177 d9904d 74165->74177 74194 d98b80 VariantClear 74165->74194 74167 d9917b 74168 d991b0 74167->74168 74169 d99244 74167->74169 74197 d98b9c 10 API calls 2 library calls 74168->74197 74199 d743b7 5 API calls 2 library calls 74169->74199 74170 d99144 74170->74167 74174 d72f88 3 API calls 74170->74174 74173 d991c0 74182 d72f88 3 API calls 74173->74182 74173->74189 74174->74167 74175 d99100 74178 d7965d VariantClear 74175->74178 74176 d990d6 74176->74175 74179 d990e7 74176->74179 74196 d98f2e 9 API calls 74176->74196 74177->74170 74177->74175 74177->74176 74177->74189 74195 d73097 malloc _CxxThrowException free SysStringLen ctype 74177->74195 74178->74189 74184 d7965d VariantClear 74179->74184 74186 d991ff 74182->74186 74183 d99112 74183->74175 74185 d98b64 VariantClear 74183->74185 74184->74170 74187 d99123 74185->74187 74186->74189 74198 d750ff free ctype 74186->74198 74187->74175 74187->74179 74189->73939 74189->73940 74189->73965 74191 d98b05 VariantClear 74190->74191 74192 d98b6f 74191->74192 74192->74189 74193 d98f2e 9 API calls 74192->74193 74193->74163 74194->74177 74195->74176 74196->74183 74197->74173 74198->74189 74199->74189 74200->73982 74201->73991 74202->73998 74203->74000 74204->74005 74205->74013 74206->73995 74207->73995 74208->74012 74209->74012 74210->74014 74211->74020 74212->73987 74214 d9926c __EH_prolog 74213->74214 74215 d992a4 74214->74215 74216 d992fc 74214->74216 74217 d7965d VariantClear 74215->74217 74218 d7965d VariantClear 74216->74218 74219 d84d91 74217->74219 74218->74219 74219->73964 74219->73965 74219->74139 74221 d854ca __EH_prolog 74220->74221 74223 d7965d VariantClear 74221->74223 74225 d85507 74221->74225 74222 d7965d VariantClear 74224 d85567 74222->74224 74226 d85528 74223->74226 74224->74033 74224->74079 74225->74222 74226->74225 74227 d85572 74226->74227 74228 d7965d VariantClear 74227->74228 74229 d8558e 74228->74229 74375 d84cac VariantClear __EH_prolog 74229->74375 74231 d855a1 74231->74224 74376 d84cac VariantClear __EH_prolog 74231->74376 74233 d855b8 74233->74224 74377 d84cac VariantClear __EH_prolog 74233->74377 74236 d8563a __EH_prolog 74235->74236 74238 d85679 74236->74238 74378 d93558 10 API calls 2 library calls 74236->74378 74239 d8571a 74238->74239 74240 d72f1c 2 API calls 74238->74240 74239->74037 74241 d85696 74240->74241 74379 d93333 malloc _CxxThrowException free 74241->74379 74243 d856a2 74244 d856ad 74243->74244 74245 d856c5 74243->74245 74380 d87853 5 API calls 2 library calls 74244->74380 74247 d856b4 74245->74247 74381 d74adf wcscmp 74245->74381 74249 d85707 74247->74249 74383 d71089 malloc _CxxThrowException free _CxxThrowException 74247->74383 74384 d731e5 malloc _CxxThrowException free _CxxThrowException 74249->74384 74251 d856d2 74251->74247 74382 d87853 5 API calls 2 library calls 74251->74382 74253 d85712 74340->74039 74341->74044 74375->74231 74376->74233 74377->74224 74378->74238 74379->74243 74380->74247 74381->74251 74382->74247 74383->74249 74384->74253 74456->74152 74457->74150 74458->74150 74460 d8719a __EH_prolog 74459->74460 74461 d871b0 74460->74461 74464 d871dd 74460->74464 74462 d84d78 VariantClear 74461->74462 74469 d871b7 74462->74469 74472 d86fc5 74464->74472 74465 d872b4 74466 d84d78 VariantClear 74465->74466 74467 d872c0 74465->74467 74466->74467 74468 d87140 7 API calls 74467->74468 74467->74469 74468->74469 74469->73914 74470 d87236 74470->74465 74470->74469 74471 d872a3 SetFileSecurityW 74470->74471 74471->74465 74473 d86fcf __EH_prolog 74472->74473 74498 d844a6 74473->74498 74480 d87029 74481 d8706a 74480->74481 74520 d84dff 7 API calls 2 library calls 74480->74520 74501 d868ac 74481->74501 74482 d8709e 74525 d71e40 free 74482->74525 74483 d87051 74483->74481 74486 d811b4 107 API calls 74483->74486 74485 d870c0 74521 d76096 15 API calls 2 library calls 74485->74521 74486->74481 74487 d8712e 74487->74470 74489 d870d1 74490 d870e2 74489->74490 74522 d84dff 7 API calls 2 library calls 74489->74522 74495 d870e6 74490->74495 74523 d86b5e 69 API calls 2 library calls 74490->74523 74493 d870fd 74494 d87103 74493->74494 74493->74495 74524 d71e40 free 74494->74524 74495->74482 74497 d8710b 74497->74487 74499 d72e04 2 API calls 74498->74499 74500 d844be 74499->74500 74500->74480 74500->74481 74519 d86e71 12 API calls 2 library calls 74500->74519 74502 d868b6 __EH_prolog 74501->74502 74503 d86921 74502->74503 74505 d77d4b 6 API calls 74502->74505 74516 d868c5 74502->74516 74504 d86962 74503->74504 74508 d86998 74503->74508 74528 d86a17 6 API calls 2 library calls 74503->74528 74504->74508 74529 d72dcd malloc _CxxThrowException 74504->74529 74506 d86906 74505->74506 74506->74503 74527 d84dff 7 API calls 2 library calls 74506->74527 74507 d869e1 74532 d7bcf8 CloseHandle 74507->74532 74508->74507 74526 d77c3b SetFileTime 74508->74526 74513 d8697a 74530 d86b09 13 API calls __EH_prolog 74513->74530 74516->74482 74516->74485 74517 d8698c 74531 d71e40 free 74517->74531 74519->74480 74520->74483 74521->74489 74522->74490 74523->74493 74524->74497 74525->74487 74526->74507 74527->74503 74528->74504 74529->74513 74530->74517 74531->74508 74532->74516 74533 db0343 74538 db035f 74533->74538 74536 db0358 74539 db0369 __EH_prolog 74538->74539 74555 d8139e 74539->74555 74547 db03a2 74572 d71e40 free 74547->74572 74549 db03aa 74573 db03d8 74549->74573 74554 d71e40 free 74554->74536 74556 d813ae 74555->74556 74558 d813b3 74555->74558 74589 e07ea0 SetEvent GetLastError 74556->74589 74559 db01c4 74558->74559 74561 db01ce __EH_prolog 74559->74561 74563 db0203 74561->74563 74591 d71e40 free 74561->74591 74562 db020b 74565 db0143 74562->74565 74590 d71e40 free 74563->74590 74569 db014d __EH_prolog 74565->74569 74567 db018a 74571 d71e40 free 74567->74571 74568 db0182 74592 d71e40 free 74568->74592 74569->74568 74593 d71e40 free 74569->74593 74571->74547 74572->74549 74574 db03e2 __EH_prolog 74573->74574 74575 d8139e ctype 2 API calls 74574->74575 74576 db03fb 74575->74576 74594 e07d50 74576->74594 74578 db0403 74579 e07d50 ctype 2 API calls 74578->74579 74580 db040b 74579->74580 74581 e07d50 ctype 2 API calls 74580->74581 74582 db03b7 74581->74582 74583 db004a 74582->74583 74584 db0054 __EH_prolog 74583->74584 74600 d71e40 free 74584->74600 74586 db0067 74601 d71e40 free 74586->74601 74588 db006f 74588->74536 74588->74554 74589->74558 74590->74562 74591->74561 74592->74567 74593->74569 74595 e07d59 CloseHandle 74594->74595 74598 e07d7b 74594->74598 74596 e07d64 GetLastError 74595->74596 74597 e07d75 74595->74597 74596->74598 74599 e07d6e 74596->74599 74597->74598 74598->74578 74599->74578 74600->74586 74601->74588 74602 df6bc6 74603 df6bcd 74602->74603 74604 df6bca 74602->74604 74603->74604 74605 df6bd1 malloc 74603->74605 74605->74604 74606 d9d3c2 74607 d9d3e9 74606->74607 74608 d7965d VariantClear 74607->74608 74609 d9d42a 74608->74609 74610 d9d883 2 API calls 74609->74610 74611 d9d4b1 74610->74611 74697 d98d4a 74611->74697 74614 d98b05 VariantClear 74617 d9d4e3 74614->74617 74714 d92a72 74617->74714 74618 d72fec 3 API calls 74619 d9d594 74618->74619 74620 d9d5cd 74619->74620 74621 d9d742 74619->74621 74623 d9d7d9 74620->74623 74718 d99317 74620->74718 74745 d9cd49 malloc _CxxThrowException free 74621->74745 74748 d71e40 free 74623->74748 74624 d9d754 74627 d72fec 3 API calls 74624->74627 74630 d9d763 74627->74630 74628 d9d7e1 74749 d71e40 free 74628->74749 74746 d71e40 free 74630->74746 74632 d9d5f1 74635 db04d2 5 API calls 74632->74635 74634 d9d7e9 74637 d9326b free 74634->74637 74638 d9d5f9 74635->74638 74636 d9d76b 74747 d71e40 free 74636->74747 74648 d9d69a 74637->74648 74724 d9e332 74638->74724 74642 d9d773 74644 d9326b free 74642->74644 74644->74648 74645 d9d610 74731 d71e40 free 74645->74731 74647 d9d618 74732 d9326b 74647->74732 74650 d9d2a8 74650->74648 74672 d9d883 74650->74672 74673 d9d88d __EH_prolog 74672->74673 74674 d72e04 2 API calls 74673->74674 74675 d9d8c6 74674->74675 74676 d72e04 2 API calls 74675->74676 74677 d9d8d2 74676->74677 74678 d72e04 2 API calls 74677->74678 74679 d9d8de 74678->74679 74750 d92b63 74679->74750 74698 d98d54 __EH_prolog 74697->74698 74712 d98da4 74698->74712 74758 d72b55 malloc _CxxThrowException free _CxxThrowException ctype 74698->74758 74699 d98e09 74702 d7965d VariantClear 74699->74702 74700 d98e15 74701 d98e2d 74700->74701 74703 d98e5e 74700->74703 74704 d98e21 74700->74704 74701->74703 74705 d98e2b 74701->74705 74706 d98e11 74702->74706 74708 d7965d VariantClear 74703->74708 74759 d73097 malloc _CxxThrowException free SysStringLen ctype 74704->74759 74710 d7965d VariantClear 74705->74710 74706->74614 74708->74706 74711 d98e47 74710->74711 74711->74706 74760 d98e7c 6 API calls __EH_prolog 74711->74760 74712->74699 74712->74700 74712->74706 74715 d92a82 74714->74715 74716 d72e04 2 API calls 74715->74716 74717 d92a9f 74716->74717 74717->74618 74719 d99321 __EH_prolog 74718->74719 74720 d99360 74719->74720 74761 d79686 VariantClear 74719->74761 74721 d7965d VariantClear 74720->74721 74722 d993d0 74721->74722 74722->74623 74722->74632 74725 d9e33c __EH_prolog 74724->74725 74726 d71e0c ctype 2 API calls 74725->74726 74727 d9e34a 74726->74727 74728 d9d608 74727->74728 74762 d9e3d1 malloc _CxxThrowException __EH_prolog 74727->74762 74730 d71e40 free 74728->74730 74730->74645 74731->74647 74733 d93275 __EH_prolog 74732->74733 74763 d92c0b 74733->74763 74736 d92c0b ctype free 74737 d93296 74736->74737 74768 d71e40 free 74737->74768 74739 d9329e 74769 d71e40 free 74739->74769 74741 d932a6 74770 d71e40 free 74741->74770 74743 d932ae 74743->74650 74745->74624 74746->74636 74747->74642 74748->74628 74749->74634 74751 d92b6d __EH_prolog 74750->74751 74752 d72e04 2 API calls 74751->74752 74753 d92b9a 74752->74753 74758->74712 74759->74705 74760->74706 74761->74720 74762->74728 74771 d71e40 free 74763->74771 74765 d92c16 74772 d71e40 free 74765->74772 74767 d92c1e 74767->74736 74768->74739 74769->74741 74770->74743 74771->74765 74772->74767 74773 d9a7c5 74791 d9a7e9 74773->74791 74825 d9a96b 74773->74825 74774 d9ade3 74878 d71e40 free 74774->74878 74776 d9a952 74776->74825 74859 d9e0b0 6 API calls 74776->74859 74777 d9adeb 74879 d71e40 free 74777->74879 74781 d9ac1e 74865 d71e40 free 74781->74865 74782 d9ae99 74783 d71e0c ctype 2 API calls 74782->74783 74786 d9aea9 memset memset 74783->74786 74789 d9aedd 74786->74789 74787 d9ac26 74866 d71e40 free 74787->74866 74788 d9adf3 74788->74782 74793 db04d2 malloc _CxxThrowException free _CxxThrowException memcpy 74788->74793 74880 d71e40 free 74789->74880 74791->74776 74798 db04d2 5 API calls 74791->74798 74858 d9e0b0 6 API calls 74791->74858 74793->74788 74795 d9aee5 74881 d71e40 free 74795->74881 74798->74791 74799 d9aef0 74882 d71e40 free 74799->74882 74803 d9c430 74884 d71e40 free 74803->74884 74805 d9ac6c 74867 d71e40 free 74805->74867 74806 d9c438 74885 d71e40 free 74806->74885 74808 d9ac2e 74883 d71e40 free 74808->74883 74811 d9c443 74886 d71e40 free 74811->74886 74812 d9ac85 74868 d71e40 free 74812->74868 74815 d9c44e 74887 d71e40 free 74815->74887 74817 d9c459 74819 d9ad88 74875 d98125 free ctype 74819->74875 74823 d9ad17 74872 d98125 free ctype 74823->74872 74824 d9ad93 74876 d71e40 free 74824->74876 74825->74774 74825->74781 74825->74805 74825->74819 74825->74823 74826 d9acbc 74825->74826 74840 d8101c 74825->74840 74843 d998f2 74825->74843 74849 d9cc6f 74825->74849 74860 d99531 5 API calls __EH_prolog 74825->74860 74861 d980c1 malloc _CxxThrowException __EH_prolog 74825->74861 74862 d9c820 5 API calls 2 library calls 74825->74862 74863 d9814d 6 API calls 74825->74863 74864 d98125 free ctype 74825->74864 74869 d98125 free ctype 74826->74869 74830 d9acc7 74870 d71e40 free 74830->74870 74831 d9ad3c 74873 d71e40 free 74831->74873 74832 d9adac 74877 d71e40 free 74832->74877 74836 d9ace0 74871 d71e40 free 74836->74871 74837 d9ad55 74874 d71e40 free 74837->74874 74888 d7b95a 74840->74888 74844 d998fc __EH_prolog 74843->74844 74895 d99987 74844->74895 74846 d99970 74846->74825 74847 d99911 74847->74846 74899 d9ef8d 12 API calls 2 library calls 74847->74899 74939 dbcf91 74849->74939 74947 db5505 74849->74947 74951 dbf445 74849->74951 74850 d9cc8b 74854 d9cccb 74850->74854 74957 d9979e VariantClear __EH_prolog 74850->74957 74852 d9ccb1 74852->74854 74958 d9cae9 VariantClear 74852->74958 74854->74825 74858->74791 74859->74825 74860->74825 74861->74825 74862->74825 74863->74825 74864->74825 74865->74787 74866->74808 74867->74812 74868->74808 74869->74830 74870->74836 74871->74808 74872->74831 74873->74837 74874->74808 74875->74824 74876->74832 74877->74808 74878->74777 74879->74788 74880->74795 74881->74799 74882->74808 74883->74803 74884->74806 74885->74811 74886->74815 74887->74817 74889 d7b969 74888->74889 74890 d7b97d 74888->74890 74889->74890 74891 d77731 5 API calls 74889->74891 74890->74825 74892 d7b9ee 74891->74892 74892->74890 74894 d7b8ec GetLastError 74892->74894 74894->74890 74896 d99991 __EH_prolog 74895->74896 74900 dc80aa 74896->74900 74897 d999a8 74897->74847 74899->74846 74901 dc80b4 __EH_prolog 74900->74901 74902 d71e0c ctype 2 API calls 74901->74902 74903 dc80bf 74902->74903 74904 dc80d3 74903->74904 74906 dbbdb5 74903->74906 74904->74897 74907 dbbdbf __EH_prolog 74906->74907 74912 dbbe69 74907->74912 74909 dbbdef 74910 d72e04 2 API calls 74909->74910 74911 dbbe16 74910->74911 74911->74904 74913 dbbe73 __EH_prolog 74912->74913 74916 db5e2b 74913->74916 74915 dbbe7f 74915->74909 74917 db5e35 __EH_prolog 74916->74917 74922 db08b6 74917->74922 74919 db5e41 74927 d8dfc9 malloc _CxxThrowException __EH_prolog 74919->74927 74921 db5e57 74921->74915 74928 d79c60 74922->74928 74924 db08c4 74933 d79c8f GetModuleHandleA GetProcAddress 74924->74933 74926 db08f3 __aulldiv 74926->74919 74927->74921 74938 d79c4d GetCurrentProcess GetProcessAffinityMask 74928->74938 74930 d79c6e 74931 d79c80 GetSystemInfo 74930->74931 74932 d79c79 74930->74932 74931->74924 74932->74924 74934 d79cc4 GlobalMemoryStatusEx 74933->74934 74935 d79cef GlobalMemoryStatus 74933->74935 74934->74935 74937 d79cce 74934->74937 74936 d79d08 74935->74936 74936->74937 74937->74926 74938->74930 74940 dbcf9b __EH_prolog 74939->74940 74941 dbf445 14 API calls 74940->74941 74942 dbd018 74941->74942 74946 dbd01f 74942->74946 74959 dc1511 74942->74959 74944 dbd08b 74944->74946 74965 dc2c5d 11 API calls 2 library calls 74944->74965 74946->74850 74948 db550f __EH_prolog 74947->74948 75346 db4e8a 74948->75346 74952 dbf455 74951->74952 75569 d81092 74952->75569 74955 dbf478 74955->74850 74957->74852 74958->74854 74960 dc151b __EH_prolog 74959->74960 74966 dc10d3 74960->74966 74963 dc1589 74963->74944 74964 dc1552 _CxxThrowException 74964->74944 74964->74963 74965->74946 74967 dc10dd __EH_prolog 74966->74967 74998 dbd1b7 74967->74998 74970 dc12ef 74970->74963 74970->74964 74971 dc11f4 74971->74970 74997 d7b95a 6 API calls 74971->74997 74972 dc139e 74972->74970 74973 dc13c4 74972->74973 74974 d71e0c ctype 2 API calls 74972->74974 75005 d81168 74973->75005 74974->74973 74976 d81168 10 API calls 74976->74971 74977 dc13de 75049 d71e40 free 74977->75049 74978 dc13da 74978->74977 74981 dc13f9 74978->74981 75043 dbef67 _CxxThrowException 74978->75043 75008 dbf047 74981->75008 74984 dc14ba 75047 dc0943 50 API calls 2 library calls 74984->75047 74986 dc1450 75012 dc06ae 74986->75012 74989 dc14e7 75048 da2db9 free ctype 74989->75048 74997->74972 75050 dbd23c 74998->75050 75000 dbd1ed 75057 d71e40 free 75000->75057 75002 dbd209 75058 d71e40 free 75002->75058 75004 dbd21c 75004->74970 75004->74971 75004->74976 75086 d8111c 75005->75086 75009 dbf063 75008->75009 75010 dbf072 75009->75010 75122 dbef67 _CxxThrowException 75009->75122 75010->74984 75010->74986 75044 dbef67 _CxxThrowException 75010->75044 75013 dc06b8 __EH_prolog 75012->75013 75123 dc03f4 75013->75123 75043->74981 75044->74986 75047->74989 75048->74977 75049->74970 75059 dbd2b8 75050->75059 75055 dbd275 75055->75000 75056 dbd25e 75076 d71e40 free 75056->75076 75057->75002 75058->75004 75078 d71e40 free 75059->75078 75061 dbd2c8 75079 d71e40 free 75061->75079 75063 dbd2dc 75080 d71e40 free 75063->75080 75065 dbd2e7 75081 d71e40 free 75065->75081 75067 dbd2f2 75082 d71e40 free 75067->75082 75069 dbd2fd 75083 d71e40 free 75069->75083 75071 dbd308 75084 d71e40 free 75071->75084 75073 dbd313 75074 dbd246 75073->75074 75085 d71e40 free 75073->75085 75074->75056 75077 d71e40 free 75074->75077 75076->75055 75077->75056 75078->75061 75079->75063 75080->75065 75081->75067 75082->75069 75083->75071 75084->75073 75085->75074 75087 d81130 75086->75087 75088 d8115f 75087->75088 75091 d7d331 75087->75091 75095 d7b668 75087->75095 75088->74978 75093 d7d355 75091->75093 75092 d7d374 75092->75087 75093->75092 75094 d7b668 10 API calls 75093->75094 75094->75092 75098 d7b675 75095->75098 75100 d7b6aa 75098->75100 75101 d7b81b 75098->75101 75102 d77731 5 API calls 75098->75102 75104 d7b7e7 75098->75104 75106 d7b7ad 75098->75106 75107 d7b811 75098->75107 75112 d7b864 75098->75112 75119 d77b4f ReadFile 75098->75119 75099 d7b8aa GetLastError 75099->75100 75100->75087 75101->75100 75103 d7b839 memcpy 75101->75103 75102->75098 75103->75100 75105 d77731 5 API calls 75104->75105 75104->75112 75108 d7b80d 75105->75108 75106->75098 75113 d7b8c7 75106->75113 75118 df6a20 VirtualAlloc 75106->75118 75120 d7b8ec GetLastError 75107->75120 75108->75107 75108->75112 75114 d77b7c 75112->75114 75113->75100 75115 d77b89 75114->75115 75121 d77b4f ReadFile 75115->75121 75117 d77b9a 75117->75099 75117->75100 75118->75106 75119->75098 75120->75100 75121->75117 75122->75010 75124 dbf047 _CxxThrowException 75123->75124 75125 dc0407 75124->75125 75127 dbf047 _CxxThrowException 75125->75127 75128 dc0475 75125->75128 75126 dc049a 75129 dc04b8 75126->75129 75262 dc159a malloc _CxxThrowException free ctype 75126->75262 75131 dc0421 75127->75131 75128->75126 75261 dbfa3f 22 API calls 2 library calls 75128->75261 75130 dc04e8 75129->75130 75133 dc04cd 75129->75133 75264 dc7c4a malloc _CxxThrowException free ctype 75130->75264 75134 dc043e 75131->75134 75258 dbef67 _CxxThrowException 75131->75258 75263 dbfff0 9 API calls 2 library calls 75133->75263 75259 dbf93c 7 API calls 2 library calls 75134->75259 75136 dc0492 75140 dbf047 _CxxThrowException 75136->75140 75139 dc04f3 75144 dc04e3 75139->75144 75265 d8089e malloc _CxxThrowException free _CxxThrowException memcpy 75139->75265 75140->75126 75142 dc04db 75146 dbf047 _CxxThrowException 75142->75146 75148 dc054a 75144->75148 75266 dbef67 _CxxThrowException 75144->75266 75145 dc0446 75147 dc046d 75145->75147 75260 dbef67 _CxxThrowException 75145->75260 75146->75144 75149 dbf047 _CxxThrowException 75147->75149 75149->75128 75258->75134 75259->75145 75260->75147 75261->75136 75262->75129 75263->75142 75264->75139 75265->75139 75266->75148 75347 db4e94 __EH_prolog 75346->75347 75348 d72e04 2 API calls 75347->75348 75451 db4f1d 75347->75451 75349 db4ed7 75348->75349 75478 d87fc5 75349->75478 75351 db4f0a 75353 d7965d VariantClear 75351->75353 75352 db4f37 75354 db4f63 75352->75354 75355 db4f41 75352->75355 75357 db4f15 75353->75357 75356 d72f88 3 API calls 75354->75356 75358 d7965d VariantClear 75355->75358 75359 db4f71 75356->75359 75499 d71e40 free 75357->75499 75361 db4f4c 75358->75361 75363 d7965d VariantClear 75359->75363 75500 d71e40 free 75361->75500 75364 db4f80 75363->75364 75501 d85bcf malloc _CxxThrowException 75364->75501 75366 db4f9a 75367 d72e47 2 API calls 75366->75367 75368 db4fad 75367->75368 75369 d72f1c 2 API calls 75368->75369 75370 db4fbd 75369->75370 75371 d72e04 2 API calls 75370->75371 75372 db4fd1 75371->75372 75373 d72e04 2 API calls 75372->75373 75379 db4fdd 75373->75379 75374 db5404 75546 d71e40 free 75374->75546 75376 db540c 75547 d71e40 free 75376->75547 75378 db5414 75548 d71e40 free 75378->75548 75379->75374 75502 d85bcf malloc _CxxThrowException 75379->75502 75382 db5099 75384 d72da9 2 API calls 75382->75384 75383 db541c 75549 d71e40 free 75383->75549 75386 db50a9 75384->75386 75388 d72fec 3 API calls 75386->75388 75387 db5424 75550 d71e40 free 75387->75550 75391 db50b6 75388->75391 75390 db542c 75551 d71e40 free 75390->75551 75503 d71e40 free 75391->75503 75394 db50be 75504 d71e40 free 75394->75504 75396 db50cd 75397 d72f88 3 API calls 75396->75397 75398 db50e3 75397->75398 75399 db50f1 75398->75399 75400 db5100 75398->75400 75505 d730ea 75399->75505 75511 d73044 malloc _CxxThrowException free ctype 75400->75511 75403 db50fe 75512 d81029 6 API calls 75403->75512 75405 db511a 75406 db516b 75405->75406 75407 db5120 75405->75407 75519 d8089e malloc _CxxThrowException free _CxxThrowException memcpy 75406->75519 75513 d71e40 free 75407->75513 75410 db5187 75414 db04d2 5 API calls 75410->75414 75411 db5128 75514 d71e40 free 75411->75514 75413 db5130 75515 d71e40 free 75413->75515 75416 db51ba 75414->75416 75520 db0516 malloc _CxxThrowException ctype 75416->75520 75417 db5138 75516 d71e40 free 75417->75516 75420 db51c5 75425 db522d 75420->75425 75426 db51f5 75420->75426 75421 db5140 75517 d71e40 free 75421->75517 75423 db5148 75518 d71e40 free 75423->75518 75427 d72e04 2 API calls 75425->75427 75521 d71e40 free 75426->75521 75475 db5235 75427->75475 75429 db51fd 75522 d71e40 free 75429->75522 75432 db5205 75523 d71e40 free 75432->75523 75434 db532e 75532 d71e40 free 75434->75532 75435 db520d 75438 db5347 75438->75374 75440 db5358 75438->75440 75442 db53a3 75539 d71e40 free 75442->75539 75451->74850 75453 db53bc 75540 d71e40 free 75453->75540 75461 db04d2 5 API calls 75461->75475 75475->75434 75475->75442 75475->75461 75476 d72e04 2 API calls 75475->75476 75527 db545c 5 API calls 2 library calls 75475->75527 75528 d81029 6 API calls 75475->75528 75529 d8089e malloc _CxxThrowException free _CxxThrowException memcpy 75475->75529 75530 db0516 malloc _CxxThrowException ctype 75475->75530 75531 d71e40 free 75475->75531 75476->75475 75479 d87fcf __EH_prolog 75478->75479 75481 d88061 75479->75481 75483 d8805c 75479->75483 75484 d88019 75479->75484 75488 d87ff4 75479->75488 75480 d8800a 75561 d79736 VariantClear 75480->75561 75481->75483 75496 d88025 75481->75496 75560 d79630 VariantClear 75483->75560 75487 d8801e 75484->75487 75484->75488 75486 d880b8 75490 d7965d VariantClear 75486->75490 75491 d88042 75487->75491 75492 d88022 75487->75492 75488->75480 75552 d7950d 75488->75552 75494 d880c0 75490->75494 75558 d79597 VariantClear 75491->75558 75495 d88032 75492->75495 75492->75496 75494->75351 75494->75352 75557 d79604 VariantClear 75495->75557 75496->75480 75559 d795df VariantClear 75496->75559 75499->75451 75500->75451 75501->75366 75502->75382 75503->75394 75504->75396 75506 d730fd 75505->75506 75507 d71e0c ctype 2 API calls 75506->75507 75510 d7311d 75506->75510 75508 d73113 75507->75508 75568 d71e40 free 75508->75568 75510->75403 75511->75403 75512->75405 75513->75411 75514->75413 75515->75417 75516->75421 75517->75423 75518->75451 75519->75410 75520->75420 75521->75429 75522->75432 75523->75435 75527->75475 75528->75475 75529->75475 75530->75475 75531->75475 75532->75438 75539->75453 75546->75376 75547->75378 75548->75383 75549->75387 75550->75390 75551->75451 75562 d79767 75552->75562 75554 d79518 SysAllocStringLen 75555 d7954f 75554->75555 75556 d79539 _CxxThrowException 75554->75556 75555->75480 75556->75555 75557->75480 75558->75480 75559->75480 75560->75480 75561->75486 75563 d79770 75562->75563 75564 d79779 75562->75564 75563->75554 75567 d79686 VariantClear 75564->75567 75566 d79780 75566->75554 75567->75566 75568->75510 75571 d7b95a 6 API calls 75569->75571 75570 d810aa 75570->74955 75572 dbf1b2 75570->75572 75571->75570 75573 dbf1bc __EH_prolog 75572->75573 75574 d81168 10 API calls 75573->75574 75576 dbf1d3 75574->75576 75575 dbf1e6 75575->74955 75576->75575 75577 dbf21c _CxxThrowException 75576->75577 75578 dbf231 memcpy 75576->75578 75577->75578 75580 dbf24c 75578->75580 75579 dbf2f0 memmove 75579->75580 75580->75575 75580->75579 75581 dbf31a memcpy 75580->75581 75581->75575 75582 d9cefb 75583 d9cf03 75582->75583 75612 d9d0cc 75582->75612 75583->75612 75629 d9cae9 VariantClear 75583->75629 75585 d9cf59 75585->75612 75630 d9cae9 VariantClear 75585->75630 75587 d9cf71 75587->75612 75631 d9cae9 VariantClear 75587->75631 75589 d9cf87 75589->75612 75632 d9cae9 VariantClear 75589->75632 75591 d9cf9d 75591->75612 75633 d9cae9 VariantClear 75591->75633 75593 d9cfb3 75593->75612 75634 d9cae9 VariantClear 75593->75634 75595 d9cfc9 75595->75612 75635 d74504 malloc _CxxThrowException 75595->75635 75597 d9cfdc 75598 d72e04 2 API calls 75597->75598 75600 d9cfe7 75598->75600 75599 d9d009 75602 d9d07b 75599->75602 75604 d9d080 75599->75604 75605 d9d030 75599->75605 75600->75599 75601 d72f88 3 API calls 75600->75601 75601->75599 75643 d71e40 free 75602->75643 75640 d97a0c CharUpperW 75604->75640 75608 d72e04 2 API calls 75605->75608 75606 d9d0c4 75644 d71e40 free 75606->75644 75611 d9d038 75608->75611 75610 d9d08b 75641 d8fdbc 4 API calls 2 library calls 75610->75641 75613 d72e04 2 API calls 75611->75613 75615 d9d046 75613->75615 75636 d8fdbc 4 API calls 2 library calls 75615->75636 75616 d9d0a7 75618 d72fec 3 API calls 75616->75618 75620 d9d0b3 75618->75620 75619 d9d057 75621 d72fec 3 API calls 75619->75621 75642 d71e40 free 75620->75642 75623 d9d063 75621->75623 75637 d71e40 free 75623->75637 75625 d9d06b 75638 d71e40 free 75625->75638 75627 d9d073 75639 d71e40 free 75627->75639 75629->75585 75630->75587 75631->75589 75632->75591 75633->75593 75634->75595 75635->75597 75636->75619 75637->75625 75638->75627 75639->75602 75640->75610 75641->75616 75642->75602 75643->75606 75644->75612 75645 da993d 75729 dab5b1 75645->75729 75648 da9963 75735 d81f33 75648->75735 75651 da9975 75652 da99b7 GetStdHandle GetConsoleScreenBufferInfo 75651->75652 75653 da99ce 75651->75653 75652->75653 75654 d71e0c ctype 2 API calls 75653->75654 75655 da99dc 75654->75655 75856 d97b48 75655->75856 75657 da9a29 75885 dab96d _CxxThrowException 75657->75885 75659 da9a30 75886 d97018 8 API calls 2 library calls 75659->75886 75661 da9a7c 75887 d9ddb5 6 API calls 2 library calls 75661->75887 75663 da9a66 _CxxThrowException 75663->75661 75664 da9aa6 75665 da9aaa _CxxThrowException 75664->75665 75675 da9ac0 75664->75675 75665->75675 75666 da9a37 75666->75661 75666->75663 75667 da9b3a 75891 d71fa0 fputc 75667->75891 75670 da9bfa _CxxThrowException 75727 da9be6 75670->75727 75671 da9b63 fputs 75892 d71fa0 fputc 75671->75892 75674 da9b79 strlen strlen 75676 da9baa fputs fputc 75674->75676 75677 da9e25 75674->75677 75675->75667 75675->75670 75888 d97dd7 7 API calls 2 library calls 75675->75888 75889 dac077 6 API calls 75675->75889 75890 d71e40 free 75675->75890 75676->75727 75900 d71fa0 fputc 75677->75900 75680 da9e2c fputs 75901 d71fa0 fputc 75680->75901 75682 da9f0c 75906 d71fa0 fputc 75682->75906 75691 d72e04 2 API calls 75691->75727 75697 dab67d 12 API calls 75697->75727 75706 da9d2a fputs 75897 d721d8 fputs 75706->75897 75710 da9d5f fputs 75710->75727 75711 d731e5 malloc _CxxThrowException free _CxxThrowException 75711->75727 75716 da9e42 75716->75682 75723 da9ee0 fputs 75716->75723 75902 dab650 fputc fputs fputs fputc 75716->75902 75903 d721d8 fputs 75716->75903 75904 dabde4 fputc fputs 75716->75904 75905 d71fa0 fputc 75723->75905 75727->75676 75727->75677 75727->75691 75727->75697 75727->75706 75727->75710 75727->75711 75893 d721d8 fputs 75727->75893 75894 d7315e malloc _CxxThrowException free _CxxThrowException 75727->75894 75895 d73221 malloc _CxxThrowException free _CxxThrowException 75727->75895 75896 d71089 malloc _CxxThrowException free _CxxThrowException 75727->75896 75898 d71fa0 fputc 75727->75898 75899 d71e40 free 75727->75899 75730 dab5bc fputs 75729->75730 75731 da994a 75729->75731 75925 d71fa0 fputc 75730->75925 75731->75648 75873 d71fb3 75731->75873 75733 dab5d5 75733->75731 75734 dab5d9 fputs 75733->75734 75734->75731 75736 d81f6c 75735->75736 75737 d81f4f 75735->75737 75926 d829eb 75736->75926 75968 d91d73 5 API calls __EH_prolog 75737->75968 75740 d81f5e _CxxThrowException 75740->75736 75742 d81fa3 75744 d81fbc 75742->75744 75746 d74fc0 5 API calls 75742->75746 75747 d81fda 75744->75747 75748 d72fec 3 API calls 75744->75748 75745 d81f95 _CxxThrowException 75745->75742 75746->75744 75749 d82022 wcscmp 75747->75749 75757 d82036 75747->75757 75748->75747 75750 d820af 75749->75750 75749->75757 75970 d91d73 5 API calls __EH_prolog 75750->75970 75752 d820a9 75971 d8393c 6 API calls 2 library calls 75752->75971 75753 d820be _CxxThrowException 75753->75757 75755 d820f4 75972 d8393c 6 API calls 2 library calls 75755->75972 75757->75752 75762 d8219a 75757->75762 75758 d82108 75759 d82135 75758->75759 75973 d82e04 62 API calls 2 library calls 75758->75973 75766 d82159 75759->75766 75974 d82e04 62 API calls 2 library calls 75759->75974 75975 d91d73 5 API calls __EH_prolog 75762->75975 75764 d821a9 _CxxThrowException 75764->75766 75765 d8227f 75931 d82aa9 75765->75931 75766->75765 75767 d82245 75766->75767 75976 d91d73 5 API calls __EH_prolog 75766->75976 75770 d72fec 3 API calls 75767->75770 75774 d8225c 75770->75774 75772 d822d9 75776 d82302 75772->75776 75777 d72fec 3 API calls 75772->75777 75773 d82237 _CxxThrowException 75773->75767 75774->75765 75977 d91d73 5 API calls __EH_prolog 75774->75977 75775 d72fec 3 API calls 75775->75772 75949 d74fc0 75776->75949 75777->75776 75781 d82271 _CxxThrowException 75781->75765 75783 d82322 75784 d826c6 75783->75784 75793 d823a1 75783->75793 75785 d828ce 75784->75785 75787 d82700 75784->75787 75990 d91d73 5 API calls __EH_prolog 75784->75990 75786 d8293a 75785->75786 75801 d828d5 75785->75801 75788 d8293f 75786->75788 75789 d829a5 75786->75789 75991 d832ec 14 API calls 2 library calls 75787->75991 76008 d74eec 16 API calls 75788->76008 75794 d829ae _CxxThrowException 75789->75794 75848 d8264d 75789->75848 75799 d8247a wcscmp 75793->75799 75817 d8248e 75793->75817 75795 d826f2 _CxxThrowException 75795->75787 75796 d82713 75992 d83a29 75796->75992 75798 d8294c 76009 d74ea1 8 API calls 75798->76009 75803 d824cf wcscmp 75799->75803 75799->75817 75801->75848 76007 d91d73 5 API calls __EH_prolog 75801->76007 75804 d824ef wcscmp 75803->75804 75803->75817 75808 d8250f 75804->75808 75804->75817 75805 d82953 75809 d74fc0 5 API calls 75805->75809 75981 d91d73 5 API calls __EH_prolog 75808->75981 75809->75848 75810 d82920 _CxxThrowException 75810->75848 75813 d8251e _CxxThrowException 75815 d8252c 75813->75815 75814 d827cf 75818 d82880 75814->75818 75819 d8281f 75814->75819 76003 d91d73 5 API calls __EH_prolog 75814->76003 75820 d82569 75815->75820 75982 d82e04 62 API calls 2 library calls 75815->75982 75816 d72fec 3 API calls 75821 d827a9 75816->75821 75817->75815 75978 d74eec 16 API calls 75817->75978 75979 d74ea1 8 API calls 75817->75979 75980 d91d73 5 API calls __EH_prolog 75817->75980 75822 d8289b 75818->75822 75825 d72fec 3 API calls 75818->75825 75819->75818 75830 d82847 75819->75830 76004 d91d73 5 API calls __EH_prolog 75819->76004 75827 d8258c 75820->75827 75983 d82e04 62 API calls 2 library calls 75820->75983 75821->75814 76002 d73563 memmove 75821->76002 75822->75848 76006 d91d73 5 API calls __EH_prolog 75822->76006 75825->75822 75832 d825a4 75827->75832 75984 d82a61 malloc _CxxThrowException free _CxxThrowException memcpy 75827->75984 75828 d824c1 _CxxThrowException 75828->75803 75829 d82811 _CxxThrowException 75829->75819 75830->75818 76005 d91d73 5 API calls __EH_prolog 75830->76005 75985 d74eec 16 API calls 75832->75985 75838 d825ad 75986 d91b07 49 API calls 75838->75986 75839 d828c0 _CxxThrowException 75839->75785 75840 d82839 _CxxThrowException 75840->75830 75843 d82872 _CxxThrowException 75843->75818 75844 d825b4 75987 d74ea1 8 API calls 75844->75987 75846 d825bb 75847 d72fec 3 API calls 75846->75847 75850 d825d6 75846->75850 75847->75850 75848->75651 75849 d8261f 75849->75848 75852 d72fec 3 API calls 75849->75852 75850->75848 75850->75849 75988 d91d73 5 API calls __EH_prolog 75850->75988 75854 d8263f 75852->75854 75853 d82611 _CxxThrowException 75853->75849 75989 d7859e malloc _CxxThrowException free _CxxThrowException 75854->75989 75857 d97b52 __EH_prolog 75856->75857 76028 d97eec 75857->76028 75859 d97ca4 75859->75657 75861 d730ea malloc _CxxThrowException free 75868 d97b63 75861->75868 75862 d72e04 malloc _CxxThrowException 75862->75868 75864 d71e40 free ctype 75864->75868 75866 d812a5 5 API calls 75866->75868 75867 db04d2 5 API calls 75867->75868 75868->75859 75868->75861 75868->75862 75868->75864 75868->75866 75868->75867 75869 d7429a 3 API calls 75868->75869 75871 d97c61 memcpy 75868->75871 75872 d97193 free 75868->75872 76033 d970ea 75868->76033 76036 d97a40 75868->76036 76054 d97cc3 6 API calls 75868->76054 76055 d974eb malloc _CxxThrowException memcpy __EH_prolog ctype 75868->76055 75869->75868 75871->75868 75872->75868 75874 d71fbd __EH_prolog 75873->75874 76062 d726dd 75874->76062 75877 d72e47 2 API calls 75878 d71fda 75877->75878 76065 d72010 75878->76065 75880 d71fed 76068 d71e40 free 75880->76068 75882 d71ff5 76069 d71e40 free 75882->76069 75884 d71ffd 75884->75648 75885->75659 75886->75666 75887->75664 75888->75675 75889->75675 75890->75675 75891->75671 75892->75674 75893->75727 75894->75727 75895->75727 75896->75727 75897->75727 75898->75727 75899->75727 75900->75680 75901->75716 75902->75716 75903->75716 75904->75716 75905->75716 75925->75733 75927 d72f1c 2 API calls 75926->75927 75928 d829fe 75927->75928 76010 d71e40 free 75928->76010 75930 d81f7e 75930->75742 75969 d91d73 5 API calls __EH_prolog 75930->75969 75932 d82ab3 __EH_prolog 75931->75932 75945 d82b0f 75932->75945 76011 d72e8a 75932->76011 75934 d822ad 75934->75772 75934->75775 75937 d82bc6 76021 d91d73 5 API calls __EH_prolog 75937->76021 75938 d82b04 76016 d71e40 free 75938->76016 75941 d82bd6 _CxxThrowException 75941->75934 75945->75934 75945->75937 75946 d82b9f 75945->75946 76017 d82cb4 48 API calls 2 library calls 75945->76017 76018 d82bf5 8 API calls __EH_prolog 75945->76018 76019 d82a61 malloc _CxxThrowException free _CxxThrowException memcpy 75945->76019 75946->75934 76020 d91d73 5 API calls __EH_prolog 75946->76020 75948 d82bb8 _CxxThrowException 75948->75937 75950 d74fd2 75949->75950 75956 d74fce 75949->75956 75951 d97ebb free 75950->75951 75952 d74fd9 75951->75952 75953 d75006 75952->75953 75954 d74ffe 75952->75954 75955 d74fe9 _CxxThrowException 75952->75955 75953->75956 76023 d71524 malloc _CxxThrowException __EH_prolog ctype 75953->76023 76022 db0551 malloc _CxxThrowException free memcpy ctype 75954->76022 75955->75954 75959 d8384c 75956->75959 75960 d83856 __EH_prolog 75959->75960 75961 d72e04 malloc _CxxThrowException 75960->75961 75962 d72fec 3 API calls 75960->75962 75963 d72f88 3 API calls 75960->75963 75964 db04d2 5 API calls 75960->75964 75966 d71e40 free ctype 75960->75966 75967 d83917 75960->75967 76024 d83b76 malloc _CxxThrowException __EH_prolog ctype 75960->76024 75961->75960 75962->75960 75963->75960 75964->75960 75966->75960 75967->75783 75968->75740 75969->75745 75970->75753 75971->75755 75972->75758 75973->75759 75974->75766 75975->75764 75976->75773 75977->75781 75978->75817 75979->75817 75980->75828 75981->75813 75982->75820 75983->75827 75984->75832 75985->75838 75986->75844 75987->75846 75988->75853 75989->75848 75990->75795 75991->75796 75993 d83a3b 75992->75993 75994 d82722 75992->75994 76025 d83bd9 free ctype 75993->76025 75994->75814 75994->75816 75996 d83a42 75997 d83a6f 75996->75997 75998 d83a52 _CxxThrowException 75996->75998 75999 d83a67 75996->75999 75997->75994 76027 d83b76 malloc _CxxThrowException __EH_prolog ctype 75997->76027 75998->75999 76026 db0551 malloc _CxxThrowException free memcpy ctype 75999->76026 76002->75814 76003->75829 76004->75840 76005->75843 76006->75839 76007->75810 76008->75798 76009->75805 76010->75930 76012 d72ea0 76011->76012 76013 d72ba6 2 API calls 76012->76013 76014 d72eaf 76013->76014 76015 d82a61 malloc _CxxThrowException free _CxxThrowException memcpy 76014->76015 76015->75938 76016->75945 76017->75945 76018->75945 76019->75945 76020->75948 76021->75941 76022->75953 76023->75953 76024->75960 76025->75996 76026->75997 76027->75997 76030 d97f14 76028->76030 76031 d97ef7 76028->76031 76029 d97193 free 76029->76031 76030->75868 76031->76029 76031->76030 76056 d71e40 free 76031->76056 76034 d72e04 2 API calls 76033->76034 76035 d97103 76034->76035 76035->75868 76037 d97a4a __EH_prolog 76036->76037 76057 d7361b 6 API calls 2 library calls 76037->76057 76039 d97a78 76058 d7361b 6 API calls 2 library calls 76039->76058 76041 d97a83 76042 d97b20 76041->76042 76044 d72e04 malloc _CxxThrowException 76041->76044 76048 d72fec 3 API calls 76041->76048 76049 d72fec 3 API calls 76041->76049 76050 db04d2 5 API calls 76041->76050 76053 d71e40 free ctype 76041->76053 76059 d97955 malloc _CxxThrowException __EH_prolog ctype 76041->76059 76060 da2db9 free ctype 76042->76060 76044->76041 76045 d97b2b 76061 da2db9 free ctype 76045->76061 76047 d97b37 76047->75868 76048->76041 76051 d97aca wcscmp 76049->76051 76050->76041 76051->76041 76053->76041 76054->75868 76055->75868 76056->76031 76057->76039 76058->76041 76059->76041 76060->76045 76061->76047 76063 d71e0c ctype 2 API calls 76062->76063 76064 d71fcb 76063->76064 76064->75877 76070 d72033 76065->76070 76068->75882 76069->75884 76071 d7203b 76070->76071 76072 d72045 76071->76072 76073 d72054 76071->76073 76077 d7421e malloc _CxxThrowException free _CxxThrowException _CxxThrowException 76072->76077 76078 d737ff 9 API calls 76073->76078 76076 d72022 fputs 76076->75880 76077->76076 76078->76076 76081 db8eb1 76086 db8ed1 76081->76086 76084 db8ec9 76087 db8edb __EH_prolog 76086->76087 76095 db9267 76087->76095 76091 db8efd 76100 dae5f1 free ctype 76091->76100 76093 db8eb9 76093->76084 76094 d71e40 free 76093->76094 76094->76084 76097 db9271 __EH_prolog 76095->76097 76101 d71e40 free 76097->76101 76098 db8ef1 76099 db922b free CloseHandle GetLastError ctype 76098->76099 76099->76091 76100->76093 76101->76098 76102 d7c3bd 76103 d7c3ca 76102->76103 76105 d7c3db 76102->76105 76103->76105 76106 d71e40 free 76103->76106 76106->76105 76107 daadb7 76108 daadc1 __EH_prolog 76107->76108 76109 d726dd 2 API calls 76108->76109 76110 daae1d 76109->76110 76111 d72e04 2 API calls 76110->76111 76112 daae38 76111->76112 76113 d72e04 2 API calls 76112->76113 76114 daae44 76113->76114 76115 d72e04 2 API calls 76114->76115 76116 daae68 76115->76116 76123 daad29 76116->76123 76120 daae94 76121 d72e04 2 API calls 76120->76121 76122 daaeb2 76121->76122 76124 daad33 __EH_prolog 76123->76124 76125 d72e04 2 API calls 76124->76125 76126 daad5f 76125->76126 76127 d72e04 2 API calls 76126->76127 76128 daad72 76127->76128 76129 daaf2d 76128->76129 76130 daaf37 __EH_prolog 76129->76130 76141 d834f4 malloc _CxxThrowException __EH_prolog 76130->76141 76132 daafac 76133 d72e04 2 API calls 76132->76133 76134 daafbb 76133->76134 76135 d72e04 2 API calls 76134->76135 76136 daafca 76135->76136 76137 d72e04 2 API calls 76136->76137 76138 daafd9 76137->76138 76139 d72e04 2 API calls 76138->76139 76140 daafe8 76139->76140 76140->76120 76141->76132 76145 da5475 76146 d72fec 3 API calls 76145->76146 76147 da54b4 76146->76147 76150 dac911 76147->76150 76149 da54bb 76151 dac92f 76150->76151 76152 dac926 GetTickCount 76150->76152 76153 dac96d 76151->76153 76156 dacb64 76151->76156 76214 d72ab1 strcmp 76151->76214 76152->76151 76153->76156 76195 dac86a 76153->76195 76156->76149 76158 dac9ce 76158->76156 76161 d727bb 3 API calls 76158->76161 76159 dac95b 76159->76153 76215 d73542 wcscmp 76159->76215 76166 dac9e2 76161->76166 76163 daca0a 76164 daca21 76163->76164 76167 d7286d 5 API calls 76163->76167 76165 dacb10 76164->76165 76173 d7286d 5 API calls 76164->76173 76203 dacb74 76165->76203 76166->76163 76217 d7286d 76166->76217 76168 daca16 76167->76168 76224 d728fa malloc _CxxThrowException free memcpy _CxxThrowException 76168->76224 76176 daca40 76173->76176 76175 dacb59 76229 dacb92 malloc _CxxThrowException free 76175->76229 76179 d72fec 3 API calls 76176->76179 76182 daca4e 76179->76182 76187 d72033 10 API calls 76182->76187 76183 dacb49 76228 d71f91 fflush 76183->76228 76184 dacb50 76186 d727bb 3 API calls 76184->76186 76186->76175 76190 daca6a 76187->76190 76189 d72fec 3 API calls 76189->76190 76190->76189 76193 d72033 10 API calls 76190->76193 76194 dacaf5 76190->76194 76225 d73599 memmove 76190->76225 76226 d73402 malloc _CxxThrowException free memmove _CxxThrowException 76190->76226 76193->76190 76227 d728fa malloc _CxxThrowException free memcpy _CxxThrowException 76194->76227 76196 dac88c __aulldiv 76195->76196 76197 dac8d3 strlen 76196->76197 76198 dac900 76197->76198 76202 dac8f1 76197->76202 76199 d728a1 5 API calls 76198->76199 76201 dac90c 76199->76201 76200 d7286d 5 API calls 76200->76202 76201->76158 76216 d72ab1 strcmp 76201->76216 76202->76198 76202->76200 76204 dacb1c 76203->76204 76205 dacb7c strcmp 76203->76205 76204->76175 76206 dac7d7 76204->76206 76205->76204 76208 dac849 76206->76208 76210 dac7ea 76206->76210 76207 dac85a fputs 76207->76183 76207->76184 76208->76207 76231 d71f91 fflush 76208->76231 76209 dac7fe fputs 76209->76208 76210->76209 76230 d725cb malloc _CxxThrowException free _CxxThrowException ctype 76210->76230 76214->76159 76215->76153 76216->76158 76232 d71e9d 76217->76232 76220 d728a1 76221 d728b0 76220->76221 76237 d7267f 76221->76237 76223 d728bf 76223->76163 76224->76164 76225->76190 76226->76190 76227->76165 76228->76184 76229->76156 76230->76209 76231->76207 76233 d71ead 76232->76233 76234 d71ea8 76232->76234 76233->76220 76236 d7263c malloc _CxxThrowException free memcpy _CxxThrowException 76234->76236 76236->76233 76238 d726c2 76237->76238 76239 d72693 76237->76239 76238->76223 76240 d726c8 _CxxThrowException 76239->76240 76241 d726bc 76239->76241 76242 d726dd 76240->76242 76246 d72595 malloc _CxxThrowException free memcpy ctype 76241->76246 76243 d71e0c ctype 2 API calls 76242->76243 76245 d726ea 76243->76245 76245->76223 76246->76238 76247 df69f0 free 76248 d81368 76251 d8136d 76248->76251 76250 d8138c 76251->76250 76254 e07d80 WaitForSingleObject 76251->76254 76257 daf745 76251->76257 76261 e07ea0 SetEvent GetLastError 76251->76261 76255 e07d98 76254->76255 76256 e07d8e GetLastError 76254->76256 76255->76251 76256->76255 76258 daf74f __EH_prolog 76257->76258 76262 daf784 76258->76262 76260 daf765 76260->76251 76261->76251 76263 daf78e __EH_prolog 76262->76263 76264 d812d4 4 API calls 76263->76264 76265 daf7c7 76264->76265 76266 d812d4 4 API calls 76265->76266 76267 daf7d4 76266->76267 76268 daf871 76267->76268 76271 d7c4d6 76267->76271 76277 df6b23 VirtualAlloc 76267->76277 76268->76260 76275 d7c4e9 76271->76275 76272 d7c6f3 76272->76268 76273 d8111c 10 API calls 76273->76275 76274 d811b4 107 API calls 76274->76275 76275->76272 76275->76273 76275->76274 76276 d7c695 memmove 76275->76276 76276->76275 76277->76268 76278 daa42c 76279 daa449 76278->76279 76280 daa435 fputs 76278->76280 76437 da545d 76279->76437 76436 d71fa0 fputc 76280->76436 76284 d72e04 2 API calls 76285 daa4a1 76284->76285 76441 d91858 76285->76441 76287 daa4c9 76503 d71e40 free 76287->76503 76289 daa4d8 76290 daa4ee 76289->76290 76291 dac7d7 ctype 6 API calls 76289->76291 76292 daa50e 76290->76292 76504 da57fb 76290->76504 76291->76290 76514 dac73e 76292->76514 76296 daaae5 76669 da2db9 free ctype 76296->76669 76298 daac17 76670 da2db9 free ctype 76298->76670 76299 d71e0c ctype 2 API calls 76300 daa53a 76299->76300 76303 daa54d 76300->76303 76640 dab0fa malloc _CxxThrowException __EH_prolog 76300->76640 76302 daac23 76304 daac3a 76302->76304 76306 daac35 76302->76306 76310 d72fec 3 API calls 76303->76310 76672 dab96d _CxxThrowException 76304->76672 76671 dab988 33 API calls __aulldiv 76306->76671 76309 daac42 76673 d71e40 free 76309->76673 76315 daa586 76310->76315 76312 daac4d 76313 d93247 free 76312->76313 76314 daac5d 76313->76314 76674 d71e40 free 76314->76674 76532 daad06 76315->76532 76320 daac7d 76324 d83a29 5 API calls 76436->76279 76438 da5473 76437->76438 76439 da5466 76437->76439 76438->76284 76678 d7275e malloc _CxxThrowException free ctype 76439->76678 76442 d91862 __EH_prolog 76441->76442 76679 d9021a 76442->76679 76447 d918b9 76693 d91aa5 free __EH_prolog ctype 76447->76693 76449 d91935 76698 d91aa5 free __EH_prolog ctype 76449->76698 76450 d918c7 76694 da2db9 free ctype 76450->76694 76454 d91944 76474 d91966 76454->76474 76699 d91d73 5 API calls __EH_prolog 76454->76699 76455 db04d2 5 API calls 76461 d918db 76455->76461 76457 d91958 _CxxThrowException 76457->76474 76458 d919be 76702 d9f1f1 malloc _CxxThrowException free _CxxThrowException 76458->76702 76460 d72e04 2 API calls 76460->76474 76461->76449 76461->76455 76695 d90144 malloc _CxxThrowException free _CxxThrowException 76461->76695 76696 d71524 malloc _CxxThrowException __EH_prolog ctype 76461->76696 76697 d71e40 free 76461->76697 76464 d919d6 76465 d97ebb free 76464->76465 76467 d919e1 76465->76467 76466 d7631f 9 API calls 76466->76474 76468 d812d4 4 API calls 76467->76468 76470 d919ea 76468->76470 76469 db04d2 5 API calls 76469->76474 76471 d97ebb free 76470->76471 76473 d919f7 76471->76473 76475 d812d4 4 API calls 76473->76475 76474->76458 76474->76460 76474->76466 76474->76469 76700 d71524 malloc _CxxThrowException __EH_prolog ctype 76474->76700 76701 d71e40 free 76474->76701 76477 d919ff 76475->76477 76478 d91a4f 76477->76478 76482 d71524 malloc _CxxThrowException 76477->76482 76487 d91a83 76477->76487 76703 d742e3 CharUpperW 76477->76703 76704 d71e40 free 76478->76704 76480 d91a57 76705 da2db9 free ctype 76480->76705 76482->76477 76483 d91a64 76706 da2db9 free ctype 76483->76706 76485 d918d3 76485->76287 76707 d91d73 5 API calls __EH_prolog 76487->76707 76489 d91a97 _CxxThrowException 76490 d91aa5 __EH_prolog 76489->76490 76708 d71e40 free 76490->76708 76492 d91ac8 76709 d902e8 free ctype 76492->76709 76494 d91ad1 76710 d91eab free __EH_prolog ctype 76494->76710 76496 d91add 76711 d71e40 free 76496->76711 76498 d91ae5 76712 d71e40 free 76498->76712 76500 d91aed 76713 da2db9 free ctype 76500->76713 76502 d91afa 76502->76287 76503->76289 76505 da5805 __EH_prolog 76504->76505 76506 da5847 76505->76506 76507 d726dd 2 API calls 76505->76507 76506->76292 76508 da5819 76507->76508 76841 da5678 76508->76841 76512 da583f 76858 d71e40 free 76512->76858 76515 dac748 __EH_prolog 76514->76515 76516 dac7d7 ctype 6 API calls 76515->76516 76517 dac75d 76516->76517 76875 d71e40 free 76517->76875 76519 dac768 76520 d92c0b ctype free 76519->76520 76521 dac775 76520->76521 76876 d71e40 free 76521->76876 76523 dac77d 76877 d71e40 free 76523->76877 76525 dac785 76878 d71e40 free 76525->76878 76527 dac78d 76879 d71e40 free 76527->76879 76529 dac795 76530 d92c0b ctype free 76529->76530 76531 daa51d 76530->76531 76531->76296 76531->76299 76533 daad29 2 API calls 76532->76533 76534 daa5d8 76533->76534 76535 dabf3e 76534->76535 76536 d72fec 3 API calls 76535->76536 76537 dabf85 76536->76537 76538 d72fec 3 API calls 76537->76538 76539 daa5ee 76538->76539 76539->76324 76640->76303 76669->76298 76670->76302 76671->76304 76672->76309 76673->76312 76674->76320 76678->76438 76680 d90224 __EH_prolog 76679->76680 76714 d83d66 76680->76714 76683 d9062e 76689 d90638 __EH_prolog 76683->76689 76684 d906de 76801 d9019a malloc _CxxThrowException free memcpy 76684->76801 76686 d906e6 76802 d91453 26 API calls 2 library calls 76686->76802 76687 d901bc malloc _CxxThrowException free _CxxThrowException memcpy 76687->76689 76689->76684 76689->76687 76692 d906ee 76689->76692 76730 d90703 76689->76730 76800 da2db9 free ctype 76689->76800 76692->76447 76692->76461 76693->76450 76694->76485 76695->76461 76696->76461 76697->76461 76698->76454 76699->76457 76700->76474 76701->76474 76702->76464 76703->76477 76704->76480 76705->76483 76706->76485 76707->76489 76708->76492 76709->76494 76710->76496 76711->76498 76712->76500 76713->76502 76725 e0fb10 76714->76725 76716 d83d70 GetCurrentProcess 76726 d83e04 76716->76726 76718 d83d8d OpenProcessToken 76719 d83d9e LookupPrivilegeValueW 76718->76719 76720 d83de3 76718->76720 76719->76720 76722 d83dc0 AdjustTokenPrivileges 76719->76722 76721 d83e04 CloseHandle 76720->76721 76723 d83def 76721->76723 76722->76720 76724 d83dd5 GetLastError 76722->76724 76723->76683 76724->76720 76725->76716 76727 d83e0d 76726->76727 76728 d83e11 CloseHandle 76726->76728 76727->76718 76729 d83e21 76728->76729 76729->76718 76731 d9070d __EH_prolog 76730->76731 76740 d72da9 2 API calls 76731->76740 76749 d72e04 2 API calls 76731->76749 76757 d72fec 3 API calls 76731->76757 76758 d90b40 76731->76758 76771 d90b26 76731->76771 76775 db04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76731->76775 76781 d90c83 76731->76781 76783 d90ab5 76731->76783 76788 da2db9 free ctype 76731->76788 76795 d90b48 76731->76795 76797 d71e40 free ctype 76731->76797 76798 d71524 malloc _CxxThrowException 76731->76798 76803 d72f4a malloc _CxxThrowException free ctype 76731->76803 76804 d71089 malloc _CxxThrowException free _CxxThrowException 76731->76804 76805 d913eb 5 API calls 2 library calls 76731->76805 76806 d9050b 76731->76806 76811 d90021 GetLastError 76731->76811 76812 d749bd 9 API calls 2 library calls 76731->76812 76813 d90306 12 API calls 76731->76813 76814 d8ff00 5 API calls 2 library calls 76731->76814 76815 d9057d 16 API calls 2 library calls 76731->76815 76816 d90f8e 24 API calls 2 library calls 76731->76816 76817 d7472e CharUpperW 76731->76817 76818 d88984 malloc _CxxThrowException free _CxxThrowException memcpy 76731->76818 76819 d90ef4 68 API calls 2 library calls 76731->76819 76732 d90e1d 76838 d90416 18 API calls 2 library calls 76732->76838 76734 d90e47 76746 d90ea6 76734->76746 76839 d9117d 68 API calls 2 library calls 76734->76839 76735 d90d11 76832 d77496 7 API calls 2 library calls 76735->76832 76738 d90c13 76829 d71e40 free 76738->76829 76740->76731 76742 d90de0 76834 da2db9 free ctype 76742->76834 76743 d72da9 2 API calls 76743->76783 76744 d72f1c 2 API calls 76769 d90d29 76744->76769 76840 dbec78 free ctype 76746->76840 76748 d90df8 76836 d71e40 free 76748->76836 76749->76731 76750 d72e04 2 API calls 76750->76783 76753 d90e02 76837 da2db9 free ctype 76753->76837 76756 d72e04 2 API calls 76756->76769 76757->76731 76758->76689 76761 d72fec 3 API calls 76761->76769 76763 d72fec 3 API calls 76763->76783 76767 d9050b 44 API calls 76767->76783 76769->76742 76769->76744 76769->76748 76769->76756 76769->76761 76770 d90df3 76769->76770 76772 d71e40 free ctype 76769->76772 76833 d9117d 68 API calls 2 library calls 76769->76833 76835 d71e40 free 76770->76835 76821 d71e40 free 76771->76821 76772->76769 76775->76731 76777 d90c79 76831 d71e40 free 76777->76831 76778 d90b30 76822 d71e40 free 76778->76822 76781->76732 76781->76735 76783->76738 76783->76743 76783->76750 76783->76763 76783->76767 76783->76777 76786 d71e40 free ctype 76783->76786 76820 d72f4a malloc _CxxThrowException free ctype 76783->76820 76825 d71089 malloc _CxxThrowException free _CxxThrowException 76783->76825 76826 d913eb 5 API calls 2 library calls 76783->76826 76827 d90ef4 68 API calls 2 library calls 76783->76827 76828 da2db9 free ctype 76783->76828 76830 d90021 GetLastError 76783->76830 76784 d90b38 76823 d71e40 free 76784->76823 76786->76783 76788->76731 76824 da2db9 free ctype 76795->76824 76797->76731 76798->76731 76800->76689 76801->76686 76802->76692 76803->76731 76804->76731 76805->76731 76807 d76c72 44 API calls 76806->76807 76809 d9051e 76807->76809 76808 d90575 76808->76731 76809->76808 76810 d72f88 3 API calls 76809->76810 76810->76808 76811->76731 76812->76731 76813->76731 76814->76731 76815->76731 76816->76731 76817->76731 76818->76731 76819->76731 76820->76783 76821->76778 76822->76784 76823->76758 76824->76771 76825->76783 76826->76783 76827->76783 76828->76783 76829->76758 76830->76783 76831->76781 76832->76769 76833->76769 76834->76758 76835->76748 76836->76753 76837->76758 76838->76734 76839->76734 76840->76758 76842 da5689 76841->76842 76843 da56b1 76841->76843 76845 da5593 6 API calls 76842->76845 76859 da5593 76843->76859 76847 da56a5 76845->76847 76849 d728a1 5 API calls 76847->76849 76849->76843 76851 da570e fputs 76857 d71fa0 fputc 76851->76857 76853 da56ef 76854 da5593 6 API calls 76853->76854 76855 da5701 76854->76855 76856 da5711 6 API calls 76855->76856 76856->76851 76857->76512 76858->76506 76860 da55ad 76859->76860 76861 d728a1 5 API calls 76860->76861 76862 da55b8 76861->76862 76863 d7286d 5 API calls 76862->76863 76864 da55bf 76863->76864 76865 d728a1 5 API calls 76864->76865 76866 da55c7 76865->76866 76867 da5711 76866->76867 76868 da56e0 76867->76868 76869 da5721 76867->76869 76868->76851 76873 d72881 malloc _CxxThrowException free memcpy _CxxThrowException 76868->76873 76870 d728a1 5 API calls 76869->76870 76871 da572b 76870->76871 76874 da55cd 6 API calls 76871->76874 76873->76853 76874->76868 76875->76519 76876->76523 76877->76525 76878->76527 76879->76529 77493 d77b20 77496 d77ab2 77493->77496 77497 d77ac5 77496->77497 77498 d7759a 12 API calls 77497->77498 77499 d77ade 77498->77499 77500 d77b03 77499->77500 77501 d77aeb SetFileTime 77499->77501 77504 d77919 77500->77504 77501->77500 77505 d77aac 77504->77505 77506 d7793c 77504->77506 77506->77505 77507 d77945 DeviceIoControl 77506->77507 77508 d779e6 77507->77508 77509 d77969 77507->77509 77510 d779ef DeviceIoControl 77508->77510 77513 d77a14 77508->77513 77509->77508 77515 d779a7 77509->77515 77511 d77a22 DeviceIoControl 77510->77511 77510->77513 77512 d77a44 DeviceIoControl 77511->77512 77511->77513 77512->77513 77513->77505 77521 d7780d 8 API calls ctype 77513->77521 77520 d79252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77515->77520 77516 d77aa5 77518 d777de 5 API calls 77516->77518 77518->77505 77519 d779d0 77519->77508 77520->77519 77521->77516 77522 dac2e6 77523 dac52f 77522->77523 77526 da544f SetConsoleCtrlHandler 77523->77526 77525 dac53b 77526->77525 77527 df6ba3 VirtualFree 77528 dbbf67 77529 dbbf74 77528->77529 77533 dbbf85 77528->77533 77529->77533 77534 dbbf8c 77529->77534 77535 dbbf96 __EH_prolog 77534->77535 77551 dbd144 77535->77551 77539 dbbfd0 77558 d71e40 free 77539->77558 77541 dbbfdb 77559 d71e40 free 77541->77559 77543 dbbfe6 77560 dbc072 free ctype 77543->77560 77545 dbbff4 77561 d8aafa free VariantClear ctype 77545->77561 77547 dbc023 77562 d973d2 free VariantClear __EH_prolog ctype 77547->77562 77549 dbbf7f 77550 d71e40 free 77549->77550 77550->77533 77553 dbd14e __EH_prolog 77551->77553 77552 dbd1b7 free 77554 dbd180 77552->77554 77553->77552 77563 db8e04 memset 77554->77563 77556 dbbfc5 77557 d71e40 free 77556->77557 77557->77539 77558->77541 77559->77543 77560->77545 77561->77547 77562->77549 77563->77556

                                                  Executed Functions

                                                  Function 00D79313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1073 d79313-d79338 GetCurrentProcess OpenProcessToken 1074 d79390 1073->1074 1075 d7933a-d7934a LookupPrivilegeValueW 1073->1075 1078 d79393-d79398 1074->1078 1076 d79382 1075->1076 1077 d7934c-d79370 AdjustTokenPrivileges 1075->1077 1080 d79385-d7938e CloseHandle 1076->1080 1077->1076 1079 d79372-d79380 GetLastError 1077->1079 1079->1080 1080->1078
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(00000020,00D81EC5,?,7597AB50,?,?,?,?,00D81EC5,00D81CEF), ref: 00D79329
                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00D81EC5,00D81CEF), ref: 00D79330
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00D79342
                                                  • AdjustTokenPrivileges.KERNELBASE(00D81EC5,00000000,?,00000000,00000000,00000000), ref: 00D79368
                                                  • GetLastError.KERNEL32 ref: 00D79372
                                                  • CloseHandle.KERNELBASE(00D81EC5,?,?,?,?,00D81EC5,00D81CEF), ref: 00D79388
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeRestorePrivilege
                                                  • API String ID: 3398352648-1684392131
                                                  • Opcode ID: 6bfb938c78adf810e53672f17052c637c7c7e6879c0657b14640217caa334001
                                                  • Instruction ID: d84883584d9a8288541420d16cc4e83c61f50d51738298ce9a41217c4524a3cd
                                                  • Opcode Fuzzy Hash: 6bfb938c78adf810e53672f17052c637c7c7e6879c0657b14640217caa334001
                                                  • Instruction Fuzzy Hash: AD018076A85228AFCB109FF29C59FEEBF7CAF05344F148165E545E2190E6748608D7B0
                                                  Function 00D83D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1081 d83d66-d83d9c call e0fb10 GetCurrentProcess call d83e04 OpenProcessToken 1086 d83d9e-d83dbe LookupPrivilegeValueW 1081->1086 1087 d83de3-d83dfe call d83e04 1081->1087 1086->1087 1089 d83dc0-d83dd3 AdjustTokenPrivileges 1086->1089 1089->1087 1091 d83dd5-d83de1 GetLastError 1089->1091 1091->1087
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D83D6B
                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83D7D
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83D94
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00D83DB6
                                                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83DCB
                                                  • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83DD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID: SeSecurityPrivilege
                                                  • API String ID: 3475889169-2333288578
                                                  • Opcode ID: d72806b4a1c3938bd8a796f5be7c9f4850f75b4d351b443c1270ee86ca9b0980
                                                  • Instruction ID: 719c663a17bb66189591acebd38c26305ac4a9ed1d65f79aee8837f3094bf48d
                                                  • Opcode Fuzzy Hash: d72806b4a1c3938bd8a796f5be7c9f4850f75b4d351b443c1270ee86ca9b0980
                                                  • Instruction Fuzzy Hash: BF113CB1980219AFDB10EFA5CC85AFEBBBCFB08744F504629E416F2190D7348A088B70
                                                  Function 00DB81EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DB81F1
                                                    • Part of subcall function 00DBF749: _CxxThrowException.MSVCRT(?,00E24A58), ref: 00DBF792
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionH_prologThrow
                                                  • String ID:
                                                  • API String ID: 461045715-3916222277
                                                  • Opcode ID: 7c4f6d9c8a92b7b76036a72aad03ded9af287dabf6d03900439832b016906aa1
                                                  • Instruction ID: 7a6e539d4c8a357d28b64402716610db5dc4cc5420b91e5a05d7b95a807cb9f8
                                                  • Opcode Fuzzy Hash: 7c4f6d9c8a92b7b76036a72aad03ded9af287dabf6d03900439832b016906aa1
                                                  • Instruction Fuzzy Hash: AF927B30900259DFDF15DFA8C884BEEBBB5AF18304F284199E846AB292DB70DD45DB71
                                                  Function 00D76868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D7686D
                                                    • Part of subcall function 00D76848: FindClose.KERNELBASE(00000000,?,00D76880), ref: 00D76853
                                                  • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00D768A5
                                                  • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00D768DE
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: Find$FileFirst$CloseH_prolog
                                                  • String ID:
                                                  • API String ID: 3371352514-0
                                                  • Opcode ID: da8064d748eec2a08e5cae90467e127f70f77c12f495a6d8489f0a7a06841fae
                                                  • Instruction ID: 26f208f5b6890794327aa7b014aa3360937e89dc990fdc9b6ad98816d45deab0
                                                  • Opcode Fuzzy Hash: da8064d748eec2a08e5cae90467e127f70f77c12f495a6d8489f0a7a06841fae
                                                  • Instruction Fuzzy Hash: 9511DD31500609ABCB24EF64C8559EDB7B9EF50320F248229E9A8671D1FB31CE86DB70
                                                  Function 00DAA013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 daa013-daa01a 1 daa37a-daa544 call db04d2 call d71524 call db04d2 call d71524 call d71e0c 0->1 2 daa020-daa02d call d81ac8 0->2 60 daa551 1->60 61 daa546-daa54f call dab0fa 1->61 8 daa22e-daa235 2->8 9 daa033-daa03a 2->9 10 daa23b-daa24d call dab4f6 8->10 11 daa367-daa375 call dab55f 8->11 13 daa03c-daa042 9->13 14 daa054-daa089 call da92d3 9->14 26 daa259-daa2fb call d97ebb call d727bb call d726dd call d93d70 call daad99 call d727bb 10->26 27 daa24f-daa253 10->27 25 daac23-daac2a 11->25 13->14 18 daa044-daa04f call d730ea 13->18 29 daa08b-daa091 14->29 30 daa099 14->30 18->14 32 daac3a-daac66 call dab96d call d71e40 call d93247 25->32 33 daac2c-daac33 25->33 92 daa2fd 26->92 93 daa303-daa362 call dab6ab call da2db9 call d71e40 * 2 call dabff8 26->93 27->26 29->30 36 daa093-daa097 29->36 31 daa09d-daa0de call d72fec call dab369 30->31 56 daa0ea-daa0fa 31->56 57 daa0e0-daa0e4 31->57 70 daac68-daac6a 32->70 71 daac6e-daacb5 call d71e40 call d711c2 call dabe0c call da2db9 32->71 33->32 38 daac35 33->38 36->31 43 daac35 call dab988 38->43 43->32 62 daa0fc-daa102 56->62 63 daa10d 56->63 57->56 67 daa553-daa55c 60->67 61->67 62->63 68 daa104-daa10b 62->68 69 daa114-daa19e call d72fec call d97ebb call daad99 63->69 75 daa55e-daa560 67->75 76 daa564-daa5c1 call d72fec call dab277 67->76 68->69 101 daa1a2 call d9f8e0 69->101 70->71 75->76 99 daa5cd-daa652 call daad06 call dabf3e call d83a29 call d72e04 call d94345 76->99 100 daa5c3-daa5c7 76->100 92->93 93->25 136 daa676-daa6c8 call d92096 99->136 137 daa654-daa671 call d9375c call dab96d 99->137 100->99 106 daa1a7-daa1b1 101->106 110 daa1b3-daa1bb call dac7d7 106->110 111 daa1c0-daa1c9 106->111 110->111 116 daa1cb 111->116 117 daa1d1-daa229 call dab6ab call da2db9 call d71e40 call dabfa4 call da940b 111->117 116->117 117->25 144 daa6cd-daa6d6 136->144 137->136 145 daa6d8-daa6dd call dac7d7 144->145 146 daa6e2-daa6e5 144->146 145->146 150 daa72e-daa73a 146->150 151 daa6e7-daa6ee 146->151 154 daa79e-daa7aa 150->154 155 daa73c-daa74a call d71fa0 150->155 152 daa722-daa725 151->152 153 daa6f0-daa71d call d71fa0 fputs call d71fa0 call d71fb3 call d71fa0 151->153 152->150 160 daa727 152->160 153->152 158 daa7d9-daa7e5 154->158 159 daa7ac-daa7b2 154->159 166 daa74c-daa753 155->166 167 daa755-daa799 fputs call d72201 call d71fa0 fputs call d72201 call d71fa0 155->167 162 daa818-daa81a 158->162 163 daa7e7-daa7ed 158->163 159->158 165 daa7b4-daa7d4 fputs call d72201 call d71fa0 159->165 160->150 168 daa899-daa8a5 162->168 171 daa81c-daa82b 162->171 163->168 169 daa7f3-daa813 fputs call d72201 call d71fa0 163->169 165->158 166->154 166->167 167->154 175 daa8e9-daa8ed 168->175 176 daa8a7-daa8ad 168->176 169->162 178 daa82d-daa84c fputs call d72201 call d71fa0 171->178 179 daa851-daa85d 171->179 184 daa8ef 175->184 189 daa8f6-daa8f8 175->189 176->184 185 daa8af-daa8c2 call d71fa0 176->185 178->179 179->168 188 daa85f-daa872 call d71fa0 179->188 184->189 185->184 211 daa8c4-daa8e4 fputs call d72201 call d71fa0 185->211 188->168 206 daa874-daa894 fputs call d72201 call d71fa0 188->206 190 daa8fe-daa90a 189->190 191 daaaaf-daaaeb call d943b3 call d71e40 call dac104 call daad82 189->191 200 daaa73-daaa89 call d71fa0 190->200 201 daa910-daa91f 190->201 247 daac0b-daac1e call da2db9 * 2 191->247 248 daaaf1-daaaf7 191->248 200->191 223 daaa8b-daaaaa fputs call d72201 call d71fa0 200->223 201->200 208 daa925-daa929 201->208 206->168 208->191 214 daa92f-daa93d 208->214 211->175 220 daa96a-daa971 214->220 221 daa93f-daa964 fputs call d72201 call d71fa0 214->221 228 daa98f-daa9a8 fputs call d72201 220->228 229 daa973-daa97a 220->229 221->220 223->191 237 daa9ad-daa9bd call d71fa0 228->237 229->228 234 daa97c-daa982 229->234 234->228 240 daa984-daa98d 234->240 245 daaa06-daaa1f fputs call d72201 237->245 250 daa9bf-daaa01 fputs call d72201 call d71fa0 fputs call d72201 call d71fa0 237->250 240->228 240->245 252 daaa24-daaa29 call d71fa0 245->252 247->25 248->247 250->245 259 daaa2e-daaa4b fputs call d72201 252->259 262 daaa50-daaa5b call d71fa0 259->262 262->191 268 daaa5d-daaa71 call d71fa0 call da710e 262->268 268->191
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$ExceptionThrow
                                                  • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&$p&$N
                                                  • API String ID: 3665150552-812711939
                                                  • Opcode ID: 558e5fe39d2894729761fd0aa8c126a859171bb03f19fd96c1cf101fb1720832
                                                  • Instruction ID: 104883671e5f8dfbf98c826702fa25723986733a932c5053edcc2cd01b1b322f
                                                  • Opcode Fuzzy Hash: 558e5fe39d2894729761fd0aa8c126a859171bb03f19fd96c1cf101fb1720832
                                                  • Instruction Fuzzy Hash: 1C525A31900258DFDF26DBA8C895BEDBBB5EF45300F14419AE44967292EB346E88CF31
                                                  Function 00DAA42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 274 daa42c-daa433 275 daa449-daa4df call da545d call d72e04 call d91858 call d71e40 274->275 276 daa435-daa444 fputs call d71fa0 274->276 286 daa4ee-daa4f1 275->286 287 daa4e1-daa4e9 call dac7d7 275->287 276->275 289 daa50e-daa520 call dac73e 286->289 290 daa4f3-daa4fa 286->290 287->286 295 daac0b-daac2a call da2db9 * 2 289->295 296 daa526-daa544 call d71e0c 289->296 290->289 291 daa4fc-daa509 call da57fb 290->291 291->289 306 daac3a-daac66 call dab96d call d71e40 call d93247 295->306 307 daac2c-daac33 295->307 304 daa551 296->304 305 daa546-daa54f call dab0fa 296->305 309 daa553-daa55c 304->309 305->309 327 daac68-daac6a 306->327 328 daac6e-daacb5 call d71e40 call d711c2 call dabe0c call da2db9 306->328 307->306 310 daac35 call dab988 307->310 313 daa55e-daa560 309->313 314 daa564-daa5c1 call d72fec call dab277 309->314 310->306 313->314 325 daa5cd-daa652 call daad06 call dabf3e call d83a29 call d72e04 call d94345 314->325 326 daa5c3-daa5c7 314->326 348 daa676-daa6d6 call d92096 325->348 349 daa654-daa671 call d9375c call dab96d 325->349 326->325 327->328 354 daa6d8-daa6dd call dac7d7 348->354 355 daa6e2-daa6e5 348->355 349->348 354->355 358 daa72e-daa73a 355->358 359 daa6e7-daa6ee 355->359 362 daa79e-daa7aa 358->362 363 daa73c-daa74a call d71fa0 358->363 360 daa722-daa725 359->360 361 daa6f0-daa71d call d71fa0 fputs call d71fa0 call d71fb3 call d71fa0 359->361 360->358 368 daa727 360->368 361->360 366 daa7d9-daa7e5 362->366 367 daa7ac-daa7b2 362->367 374 daa74c-daa753 363->374 375 daa755-daa799 fputs call d72201 call d71fa0 fputs call d72201 call d71fa0 363->375 370 daa818-daa81a 366->370 371 daa7e7-daa7ed 366->371 367->366 373 daa7b4-daa7d4 fputs call d72201 call d71fa0 367->373 368->358 376 daa899-daa8a5 370->376 379 daa81c-daa82b 370->379 371->376 377 daa7f3-daa813 fputs call d72201 call d71fa0 371->377 373->366 374->362 374->375 375->362 383 daa8e9-daa8ed 376->383 384 daa8a7-daa8ad 376->384 377->370 386 daa82d-daa84c fputs call d72201 call d71fa0 379->386 387 daa851-daa85d 379->387 392 daa8ef 383->392 397 daa8f6-daa8f8 383->397 384->392 393 daa8af-daa8c2 call d71fa0 384->393 386->387 387->376 396 daa85f-daa872 call d71fa0 387->396 392->397 393->392 419 daa8c4-daa8e4 fputs call d72201 call d71fa0 393->419 396->376 414 daa874-daa894 fputs call d72201 call d71fa0 396->414 398 daa8fe-daa90a 397->398 399 daaaaf-daaaeb call d943b3 call d71e40 call dac104 call daad82 397->399 408 daaa73-daaa89 call d71fa0 398->408 409 daa910-daa91f 398->409 399->295 455 daaaf1-daaaf7 399->455 408->399 431 daaa8b-daaaaa fputs call d72201 call d71fa0 408->431 409->408 416 daa925-daa929 409->416 414->376 416->399 422 daa92f-daa93d 416->422 419->383 428 daa96a-daa971 422->428 429 daa93f-daa964 fputs call d72201 call d71fa0 422->429 436 daa98f-daa9a8 fputs call d72201 428->436 437 daa973-daa97a 428->437 429->428 431->399 445 daa9ad-daa9bd call d71fa0 436->445 437->436 442 daa97c-daa982 437->442 442->436 448 daa984-daa98d 442->448 453 daaa06-daaa4b fputs call d72201 call d71fa0 fputs call d72201 445->453 457 daa9bf-daaa01 fputs call d72201 call d71fa0 fputs call d72201 call d71fa0 445->457 448->436 448->453 466 daaa50-daaa5b call d71fa0 453->466 455->295 457->453 466->399 472 daaa5d-daaa71 call d71fa0 call da710e 466->472 472->399
                                                  APIs
                                                  • fputs.MSVCRT(Scanning the drive for archives:), ref: 00DAA43E
                                                    • Part of subcall function 00D71FA0: fputc.MSVCRT ref: 00D71FA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputcfputs
                                                  • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&$p&$!"$N
                                                  • API String ID: 269475090-1390249594
                                                  • Opcode ID: 8a17b9192380630e6fcff8d0f4875a60857d9d262aaee06b34a8f428adfa24e4
                                                  • Instruction ID: 861ba8b59bef2b8718941da968aa235dacfe203e3c1662c3be6fddf4bc447612
                                                  • Opcode Fuzzy Hash: 8a17b9192380630e6fcff8d0f4875a60857d9d262aaee06b34a8f428adfa24e4
                                                  • Instruction Fuzzy Hash: 28226C31A002589FDF26DBA8C845BEDFBB1EF95300F14819AE44967291EB756E84CF31
                                                  Function 00DA993D Relevance: 47.8, APIs: 16, Strings: 11, Instructions: 569COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 478 da993d-da9950 call dab5b1 481 da9952-da995e call d71fb3 478->481 482 da9963-da997e call d81f33 478->482 481->482 486 da998f-da9998 482->486 487 da9980-da998a 482->487 488 da999a-da99a6 486->488 489 da99a8 486->489 487->486 488->489 490 da99ab-da99b5 488->490 489->490 491 da99b7-da99cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 da99d5-da9a04 call d71e0c call daacb6 490->492 491->492 493 da99ce-da99d2 491->493 500 da9a0c-da9a24 call d97b48 492->500 501 da9a06-da9a08 492->501 493->492 503 da9a29-da9a48 call dab96d call d97018 call d81aa4 500->503 501->500 510 da9a4a-da9a4c 503->510 511 da9a7c-da9aa8 call d9ddb5 503->511 513 da9a4e-da9a55 510->513 514 da9a66-da9a77 _CxxThrowException 510->514 517 da9aaa-da9abb _CxxThrowException 511->517 518 da9ac0-da9ade 511->518 513->514 516 da9a57-da9a64 call d81ac8 513->516 514->511 516->511 516->514 517->518 520 da9b3a-da9b55 518->520 521 da9ae0-da9b04 call d97dd7 518->521 525 da9b5c-da9ba4 call d71fa0 fputs call d71fa0 strlen * 2 520->525 526 da9b57 520->526 529 da9bfa-da9c0b _CxxThrowException 521->529 530 da9b0a-da9b0e 521->530 539 da9baa-da9be4 fputs fputc 525->539 540 da9e25-da9e4d call d71fa0 fputs call d71fa0 525->540 526->525 533 da9c10 529->533 530->529 532 da9b14-da9b38 call dac077 call d71e40 530->532 532->520 532->521 536 da9c12-da9c25 533->536 543 da9be6-da9bf0 536->543 544 da9c27-da9c33 536->544 539->543 539->544 556 da9f0c-da9f34 call d71fa0 fputs call d71fa0 540->556 557 da9e53 540->557 543->533 547 da9bf2-da9bf8 543->547 551 da9c81-da9cb1 call dab67d call d72e04 544->551 552 da9c35-da9c3d 544->552 547->536 593 da9cb3-da9cb7 551->593 594 da9d10-da9d28 call dab67d 551->594 554 da9c6b-da9c80 call d721d8 552->554 555 da9c3f-da9c4a 552->555 554->551 559 da9c4c-da9c52 555->559 560 da9c54 555->560 579 da9f3a 556->579 580 daac23-daac2a 556->580 563 da9e5a-da9e6f call dab650 557->563 566 da9c56-da9c69 559->566 560->566 572 da9e7b-da9e7e call d721d8 563->572 573 da9e71-da9e79 563->573 566->554 566->555 585 da9e83-da9f06 call dabde4 fputs call d71fa0 572->585 573->585 586 da9f41-da9f9d call dab650 call dab5e9 call dabde4 fputs call d71fa0 579->586 581 daac3a-daac66 call dab96d call d71e40 call d93247 580->581 582 daac2c-daac33 580->582 619 daac68-daac6a 581->619 620 daac6e-daacb5 call d71e40 call d711c2 call dabe0c call da2db9 581->620 582->581 587 daac35 call dab988 582->587 585->556 585->563 662 da9f9f 586->662 587->581 599 da9cb9-da9cbc call d7315e 593->599 600 da9cc1-da9cdd call d731e5 593->600 617 da9d2a-da9d4a fputs call d721d8 594->617 618 da9d4b-da9d53 594->618 599->600 613 da9cdf-da9d00 call d73221 call d731e5 call d71089 600->613 614 da9d05-da9d0e 600->614 613->614 614->593 614->594 617->618 625 da9d59-da9d5d 618->625 626 da9dff-da9e1f call d71fa0 call d71e40 618->626 619->620 629 da9d6e-da9d82 625->629 630 da9d5f-da9d6d fputs 625->630 626->539 626->540 639 da9df0-da9df9 629->639 640 da9d84-da9d88 629->640 630->629 639->625 639->626 645 da9d8a-da9d94 640->645 646 da9d95-da9d9f 640->646 645->646 652 da9da1-da9da3 646->652 653 da9da5-da9db1 646->653 652->653 659 da9dd8-da9dee 652->659 660 da9db8 653->660 661 da9db3-da9db6 653->661 659->639 659->640 665 da9dbb-da9dce 660->665 661->665 662->580 670 da9dd0-da9dd3 665->670 671 da9dd5 665->671 670->659 671->659
                                                  APIs
                                                    • Part of subcall function 00DAB5B1: fputs.MSVCRT ref: 00DAB5CA
                                                    • Part of subcall function 00DAB5B1: fputs.MSVCRT ref: 00DAB5E1
                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 00DA99BD
                                                  • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00DA99C4
                                                  • _CxxThrowException.MSVCRT(?,00E255B8), ref: 00DA9A77
                                                  • _CxxThrowException.MSVCRT(?,00E255B8), ref: 00DA9ABB
                                                    • Part of subcall function 00D71FB3: __EH_prolog.LIBCMT ref: 00D71FB8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                                  • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&$p&$N
                                                  • API String ID: 377453556-3519967863
                                                  • Opcode ID: 81ef958afd419dc6991d0a13fcc7c44b7dcd9c92f303d96169cfa02736fb8133
                                                  • Instruction ID: 32b01143d30851f042e9e58dca922c7f6a7d8ce303aee7ad89609156fbcb0a28
                                                  • Opcode Fuzzy Hash: 81ef958afd419dc6991d0a13fcc7c44b7dcd9c92f303d96169cfa02736fb8133
                                                  • Instruction Fuzzy Hash: 2D228C31900208DFDF15EFA8D895BADFBB1EF49310F24409AE545AB292DB349A85CF71
                                                  Function 00D81ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 672 d81ade-d81b14 call e0fb10 call d713f5 677 d81b32-d81b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 d81b16-d81b2d call d91d73 _CxxThrowException 672->678 680 d81b9d-d81b9f 677->680 681 d81b8d-d81b91 677->681 678->677 682 d81ba0-d81bcd 680->682 681->680 684 d81b93-d81b97 681->684 685 d81bf9-d81c12 682->685 686 d81bcf-d81bf8 call d81ea4 call d727bb call d71e40 682->686 684->680 687 d81b99-d81b9b 684->687 689 d81c20 685->689 690 d81c14-d81c18 685->690 686->685 687->682 693 d81c27-d81c2b 689->693 690->689 692 d81c1a-d81c1e 690->692 692->689 692->693 695 d81c2d 693->695 696 d81c34-d81c3e 693->696 695->696 698 d81c49-d81c53 696->698 699 d81c40-d81c43 696->699 700 d81c5e-d81c68 698->700 701 d81c55-d81c58 698->701 699->698 703 d81c6a-d81c6d 700->703 704 d81c73-d81c79 700->704 701->700 703->704 706 d81cc9-d81cd2 704->706 707 d81c7b-d81c87 704->707 710 d81cea call d81eb9 706->710 711 d81cd4-d81ce6 706->711 708 d81c89-d81c93 707->708 709 d81c95-d81ca1 call d81ed1 707->709 708->706 718 d81cc0-d81cc3 709->718 719 d81ca3-d81cbb call d91d73 _CxxThrowException 709->719 714 d81cef-d81cf8 710->714 711->710 716 d81cfa-d81d0a 714->716 717 d81d37-d81d40 714->717 720 d81d10 716->720 721 d81dc2-d81dd4 wcscmp 716->721 723 d81e93-d81ea1 717->723 724 d81d46-d81d52 717->724 718->706 719->718 725 d81d17-d81d1f call d79399 720->725 721->725 727 d81dda-d81de6 call d81ed1 721->727 724->723 728 d81d58-d81d93 call d726dd call d7280c call d73221 call d73bbf 724->728 725->717 737 d81d21-d81d32 call df6a60 call d79313 725->737 727->725 735 d81dec-d81e04 call d91d73 _CxxThrowException 727->735 756 d81d9f-d81da3 728->756 757 d81d95-d81d9c 728->757 744 d81e09-d81e0c 735->744 737->717 747 d81e0e 744->747 748 d81e31-d81e4a call d81f0c GetCurrentProcess SetProcessAffinityMask 744->748 751 d81e10-d81e12 747->751 752 d81e14-d81e2c call d91d73 _CxxThrowException 747->752 761 d81e4c-d81e82 GetLastError call d73221 call d758a9 call d731e5 call d71e40 748->761 762 d81e83-d81e92 call d73172 call d71e40 748->762 751->748 751->752 752->748 756->744 760 d81da5-d81dbd call d91d73 _CxxThrowException 756->760 757->756 760->721 761->762 762->723
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D81AE3
                                                    • Part of subcall function 00D713F5: __EH_prolog.LIBCMT ref: 00D713FA
                                                  • _CxxThrowException.MSVCRT(?,00E26010), ref: 00D81B2D
                                                  • _fileno.MSVCRT ref: 00D81B3E
                                                  • _isatty.MSVCRT ref: 00D81B47
                                                  • _fileno.MSVCRT ref: 00D81B5D
                                                  • _isatty.MSVCRT ref: 00D81B60
                                                  • _fileno.MSVCRT ref: 00D81B73
                                                  • _CxxThrowException.MSVCRT(?,00E26010), ref: 00D81CBB
                                                  • _CxxThrowException.MSVCRT(?,00E26010), ref: 00D81DBD
                                                  • wcscmp.MSVCRT ref: 00D81DCA
                                                  • _CxxThrowException.MSVCRT(?,00E26010), ref: 00D81E04
                                                  • _isatty.MSVCRT ref: 00D81B76
                                                    • Part of subcall function 00D91D73: __EH_prolog.LIBCMT ref: 00D91D78
                                                  • _CxxThrowException.MSVCRT(?,00E26010), ref: 00D81E2C
                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00D81E3B
                                                  • SetProcessAffinityMask.KERNEL32(00000000), ref: 00D81E42
                                                  • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00D81E4C
                                                  Strings
                                                  • Unsupported switch postfix -stm, xrefs: 00D81DAA
                                                  • Unsupported switch postfix -bb, xrefs: 00D81CA8
                                                  • Unsupported switch postfix for -slp, xrefs: 00D81DF1
                                                  • unsupported value -stm, xrefs: 00D81E19
                                                  • Set process affinity mask: , xrefs: 00D81D74
                                                  • SeLockMemoryPrivilege, xrefs: 00D81D28
                                                  • : ERROR : , xrefs: 00D81E52
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                                  • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                                  • API String ID: 1826148334-1115009270
                                                  • Opcode ID: b98877614f5812e6c89d3718272a7cb1894eb509f664259d43d94573655d62c4
                                                  • Instruction ID: 0e8b46049b938f9c2c6c087783d25b5678093d9077763d2211d6b51443ea605b
                                                  • Opcode Fuzzy Hash: b98877614f5812e6c89d3718272a7cb1894eb509f664259d43d94573655d62c4
                                                  • Instruction Fuzzy Hash: D5C1E5759003459FDB21EFB8C848BD9BBF9AF09304F188459E489A7292D774A989CB30
                                                  Function 00DA8012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 777 da8012-da8032 call e0fb10 780 da8038-da806c fputs call da8341 777->780 781 da8285 777->781 785 da80c8-da80cd 780->785 786 da806e-da8071 780->786 782 da8287-da8295 781->782 787 da80cf-da80d4 785->787 788 da80d6-da80df 785->788 789 da808b-da808d 786->789 790 da8073-da8089 fputs call d71fa0 786->790 794 da80e2-da8110 call da8341 call da8622 787->794 788->794 792 da808f-da8094 789->792 793 da8096-da809f 789->793 790->785 797 da80a2-da80c7 call d72e47 call da85c6 call d71e40 792->797 793->797 804 da811e-da812f call da8565 794->804 805 da8112-da8119 call da831f 794->805 797->785 804->782 812 da8135-da813f 804->812 805->804 813 da814d-da815b 812->813 814 da8141-da8148 call da82bb 812->814 813->782 817 da8161-da8164 813->817 814->813 818 da81b6-da81c0 817->818 819 da8166-da8186 817->819 820 da8276-da827f 818->820 821 da81c6-da81e1 fputs 818->821 823 da8298-da829d 819->823 824 da818c-da8196 call da8565 819->824 820->780 820->781 821->820 827 da81e7-da81fb 821->827 828 da82b1-da82b9 SysFreeString 823->828 829 da819b-da819d 824->829 830 da81fd-da821f 827->830 831 da8273 827->831 828->782 829->823 832 da81a3-da81b4 SysFreeString 829->832 834 da829f-da82a1 830->834 835 da8221-da8245 830->835 831->820 832->818 832->819 836 da82ae 834->836 838 da82a3-da82ab call d7965d 835->838 839 da8247-da8271 call da84a7 call d7965d SysFreeString 835->839 836->828 838->836 839->830 839->831
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DA8017
                                                  • fputs.MSVCRT ref: 00DA804D
                                                    • Part of subcall function 00DA8341: __EH_prolog.LIBCMT ref: 00DA8346
                                                    • Part of subcall function 00DA8341: fputs.MSVCRT ref: 00DA835B
                                                    • Part of subcall function 00DA8341: fputs.MSVCRT ref: 00DA8364
                                                  • fputs.MSVCRT ref: 00DA807A
                                                    • Part of subcall function 00D71FA0: fputc.MSVCRT ref: 00D71FA7
                                                    • Part of subcall function 00D7965D: VariantClear.OLEAUT32(?), ref: 00D7967F
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00DA81AA
                                                  • fputs.MSVCRT ref: 00DA81CD
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00DA8267
                                                  • SysFreeString.OLEAUT32(00000000), ref: 00DA82B1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                                  • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                                  • API String ID: 2889736305-3797937567
                                                  • Opcode ID: 910f1611e2aa9503627232ba8cd33d46ed85d839f24fa37071d575e6c0734f71
                                                  • Instruction ID: c70835fa1e8ddd525a9b80a3e33306daa9c67db1b0237365971731ebd0d2c764
                                                  • Opcode Fuzzy Hash: 910f1611e2aa9503627232ba8cd33d46ed85d839f24fa37071d575e6c0734f71
                                                  • Instruction Fuzzy Hash: 6F917531A00605AFCB14DFA4C981AEEB7B5FF49310F244129E852E7290DB70AD45DB74
                                                  Function 00DA6766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 846 da6766-da6792 call e0fb10 EnterCriticalSection 849 da67af-da67b7 846->849 850 da6794-da6799 call dac7d7 846->850 852 da67b9 call d71f91 849->852 853 da67be-da67c3 849->853 854 da679e-da67ac 850->854 852->853 856 da67c9-da67d5 853->856 857 da6892-da68a8 853->857 854->849 860 da6817-da682f 856->860 861 da67d7-da67dd 856->861 858 da68ae-da68b4 857->858 859 da6941 857->859 858->859 863 da68ba-da68c2 858->863 866 da6943-da695a 859->866 864 da6873-da687b 860->864 865 da6831-da6842 call d71fa0 860->865 861->860 862 da67df-da67eb 861->862 867 da67ed 862->867 868 da67f3-da6801 862->868 869 da6933-da693f call dac5cd 863->869 870 da68c4-da68e6 call d71fa0 fputs 863->870 864->869 872 da6881-da6887 864->872 865->864 883 da6844-da686c fputs call d72201 865->883 867->868 868->864 873 da6803-da6815 fputs 868->873 869->866 885 da68fb-da6917 call d84f2a call d71fb3 call d71e40 870->885 886 da68e8-da68f9 fputs 870->886 872->869 878 da688d 872->878 880 da686e call d71fa0 873->880 879 da692e call d71f91 878->879 879->869 880->864 883->880 889 da691c-da6928 call d71fa0 885->889 886->889 889->879
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DA676B
                                                  • EnterCriticalSection.KERNEL32(00E32938), ref: 00DA6781
                                                  • fputs.MSVCRT ref: 00DA680B
                                                  • LeaveCriticalSection.KERNEL32(00E32938), ref: 00DA6944
                                                    • Part of subcall function 00DAC7D7: fputs.MSVCRT ref: 00DAC840
                                                  • fputs.MSVCRT ref: 00DA6851
                                                    • Part of subcall function 00D72201: fputs.MSVCRT ref: 00D7221E
                                                  • fputs.MSVCRT ref: 00DA68D9
                                                  • fputs.MSVCRT ref: 00DA68F6
                                                    • Part of subcall function 00D71FA0: fputc.MSVCRT ref: 00D71FA7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                                  • String ID: v$8)$8)$Sub items Errors:
                                                  • API String ID: 2670240366-1167879488
                                                  • Opcode ID: 35bb578521b467225319c1a9583715df1a5f1567189a359378ac513c3176ec49
                                                  • Instruction ID: bb65f0a475b58fe478495128a39489cc8d00fdc808d3bc8837a621c7ee9597d1
                                                  • Opcode Fuzzy Hash: 35bb578521b467225319c1a9583715df1a5f1567189a359378ac513c3176ec49
                                                  • Instruction Fuzzy Hash: 6C519F32501600DFC7259F74D895AEAB7F2FF85310F58852EE19A972A1DB34AC48CF60
                                                  Function 00DA6359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 898 da6359-da6373 call e0fb10 901 da639e-da63af call da5a4d 898->901 902 da6375-da6385 call dac7d7 898->902 908 da65ee-da65f1 901->908 909 da63b5-da63cd 901->909 902->901 907 da6387-da639b 902->907 907->901 912 da65f3-da65fb 908->912 913 da6624-da663c 908->913 910 da63cf 909->910 911 da63d2-da63d4 909->911 910->911 916 da63df-da63e7 911->916 917 da63d6-da63d9 911->917 918 da66ea call dac5cd 912->918 919 da6601-da6607 call da8012 912->919 914 da663e call d71f91 913->914 915 da6643-da664b 913->915 914->915 915->918 923 da6651-da668f fputs call d7211a call d71fa0 call da8685 915->923 924 da63e9-da63f2 call d71fa0 916->924 925 da6411-da6413 916->925 917->916 922 da64b1-da64bc call da6700 917->922 933 da66ef-da66fd 918->933 927 da660c-da660e 919->927 944 da64be-da64c1 922->944 945 da64c7-da64cf 922->945 923->933 980 da6691-da6697 923->980 924->925 949 da63f4-da640c call d7210c call d71fa0 924->949 928 da6442-da6446 925->928 929 da6415-da641d 925->929 927->933 934 da6614-da661f call d71fa0 927->934 938 da6448-da6450 928->938 939 da6497-da649f 928->939 935 da642a-da643b 929->935 936 da641f-da6425 call da6134 929->936 934->918 935->928 936->935 946 da647f-da6490 938->946 947 da6452-da647a fputs call d71fa0 call d71fb3 call d71fa0 938->947 939->922 950 da64a1-da64ac call d71fa0 call d71f91 939->950 944->945 953 da65a2-da65a6 944->953 954 da64f9-da64fb 945->954 955 da64d1-da64da call d71fa0 945->955 946->939 947->946 949->925 950->922 962 da65da-da65e6 953->962 963 da65a8-da65b6 953->963 959 da652a-da652e 954->959 960 da64fd-da6505 954->960 955->954 985 da64dc-da64f4 call d7210c call d71fa0 955->985 971 da657f-da6587 959->971 972 da6530-da6538 959->972 968 da6512-da6523 960->968 969 da6507-da650d call da6134 960->969 962->909 977 da65ec 962->977 973 da65b8-da65ca call da6244 963->973 974 da65d3 963->974 968->959 969->968 971->953 987 da6589-da6595 call d71fa0 971->987 982 da653a-da6562 fputs call d71fa0 call d71fb3 call d71fa0 972->982 983 da6567-da6578 972->983 973->974 999 da65cc-da65ce call d71f91 973->999 974->962 977->908 988 da6699-da669f 980->988 989 da66df-da66e5 call d71f91 980->989 982->983 983->971 985->954 987->953 1002 da6597-da659d call d71f91 987->1002 996 da66b3-da66ce call d84f2a call d71fb3 call d71e40 988->996 997 da66a1-da66b1 fputs 988->997 989->918 1003 da66d3-da66da call d71fa0 996->1003 997->1003 999->974 1002->953 1003->989
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DA635E
                                                  • fputs.MSVCRT ref: 00DA645F
                                                    • Part of subcall function 00DAC7D7: fputs.MSVCRT ref: 00DAC840
                                                  • fputs.MSVCRT ref: 00DA6547
                                                  • fputs.MSVCRT ref: 00DA665F
                                                  • fputs.MSVCRT ref: 00DA66AE
                                                    • Part of subcall function 00D71F91: fflush.MSVCRT ref: 00D71F93
                                                    • Part of subcall function 00D71FB3: __EH_prolog.LIBCMT ref: 00D71FB8
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$H_prolog$fflushfree
                                                  • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                                  • API String ID: 1750297421-1898165966
                                                  • Opcode ID: e58352ad6fc760af414909083b244fa65634d99b51e183eec02c5790990e34b2
                                                  • Instruction ID: ad65a739bb33071aa2fe1136e674b39fcfe22291103439a67518e1adcb1119d9
                                                  • Opcode Fuzzy Hash: e58352ad6fc760af414909083b244fa65634d99b51e183eec02c5790990e34b2
                                                  • Instruction Fuzzy Hash: 15B14B35A01701CFDB24EF64C9A1BAAB7A1FF46304F0C852DE55A97292DB70E948CB70
                                                  Function 00D79C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1016 d79c8f-d79cc2 GetModuleHandleA GetProcAddress 1017 d79cc4-d79ccc GlobalMemoryStatusEx 1016->1017 1018 d79cef-d79d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 d79cce-d79cd7 1017->1019 1020 d79d0b-d79d0d 1018->1020 1021 d79d08 1018->1021 1022 d79ce5 1019->1022 1023 d79cd9 1019->1023 1024 d79d11-d79d15 1020->1024 1021->1020 1027 d79ce8-d79ced 1022->1027 1025 d79ce0-d79ce3 1023->1025 1026 d79cdb-d79cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00D79CB3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00D79CBA
                                                  • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00D79CC8
                                                  • GlobalMemoryStatus.KERNEL32(?), ref: 00D79CFA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                                  • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                                  • API String ID: 180289352-802862622
                                                  • Opcode ID: e3aecdc40c9cbb0fc4eb809ca3f9fea90e43cf76b4f6a461bdcdc6251f8463ac
                                                  • Instruction ID: 4d6620fd86a801cf31edc905c292ac0294e088092592f5e78a7ed5a911df3820
                                                  • Opcode Fuzzy Hash: e3aecdc40c9cbb0fc4eb809ca3f9fea90e43cf76b4f6a461bdcdc6251f8463ac
                                                  • Instruction Fuzzy Hash: F11109729403099FDF20DFA8D869ADDFBF9BB04705F60841CD44AE7240E778A984CB64
                                                  Function 00DBF1B2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1028 dbf1b2-dbf1ce call e0fb10 call d81168 1032 dbf1d3-dbf1d5 1028->1032 1033 dbf1db-dbf1e4 call dbf3e4 1032->1033 1034 dbf36a-dbf378 1032->1034 1037 dbf1ed-dbf1f2 1033->1037 1038 dbf1e6-dbf1e8 1033->1038 1039 dbf203-dbf21a 1037->1039 1040 dbf1f4-dbf1f9 1037->1040 1038->1034 1043 dbf21c-dbf22c _CxxThrowException 1039->1043 1044 dbf231-dbf248 memcpy 1039->1044 1040->1039 1041 dbf1fb-dbf1fe 1040->1041 1041->1034 1043->1044 1045 dbf24c-dbf257 1044->1045 1046 dbf259 1045->1046 1047 dbf25c-dbf25e 1045->1047 1046->1047 1048 dbf281-dbf299 1047->1048 1049 dbf260-dbf26f 1047->1049 1056 dbf29b-dbf2a0 1048->1056 1057 dbf311-dbf313 1048->1057 1050 dbf279-dbf27b 1049->1050 1051 dbf271 1049->1051 1050->1048 1054 dbf315-dbf318 1050->1054 1052 dbf273-dbf275 1051->1052 1053 dbf277 1051->1053 1052->1050 1052->1053 1053->1050 1058 dbf357-dbf368 1054->1058 1056->1054 1059 dbf2a2-dbf2b5 call dbf37b 1056->1059 1057->1058 1058->1034 1063 dbf2f0-dbf30c memmove 1059->1063 1064 dbf2b7-dbf2cf call e0e1a0 1059->1064 1063->1045 1067 dbf31a-dbf355 memcpy 1064->1067 1068 dbf2d1-dbf2eb call dbf37b 1064->1068 1067->1058 1068->1064 1072 dbf2ed 1068->1072 1072->1063
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: C$C
                                                  • API String ID: 3519838083-1384631684
                                                  • Opcode ID: 5179a7c7bc474c7a5f5f7f615058c2f8f2d1473214d510ab11c80ddab2433347
                                                  • Instruction ID: d900836a36f348e1f5887489be39dd9d4405f9a764600ff7c4d46d07837f331b
                                                  • Opcode Fuzzy Hash: 5179a7c7bc474c7a5f5f7f615058c2f8f2d1473214d510ab11c80ddab2433347
                                                  • Instruction Fuzzy Hash: 97514B76A00315DFDB14DFA4C885AEEB3F5FF98354F188429E902AB381DB74A9458B70
                                                  Function 00E0FF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                                  • String ID:
                                                  • API String ID: 4012487245-0
                                                  • Opcode ID: 58431cbb0533c72ab26f74e0b55d77446cc0145762e5f55f3ce4993853ae0943
                                                  • Instruction ID: fcd4c211d5b1a03d9e50d74093b9b558fe9757d0f61a5f850348e01f412f7c89
                                                  • Opcode Fuzzy Hash: 58431cbb0533c72ab26f74e0b55d77446cc0145762e5f55f3ce4993853ae0943
                                                  • Instruction Fuzzy Hash: 82211871A81708EFCB149FA5DC49AD9BFB8FB09720F105259F561B32A1C7B45488CF21
                                                  Function 00E0FFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                                  • String ID:
                                                  • API String ID: 279829931-0
                                                  • Opcode ID: a2019bb0db23cca3b886adde9a3e30e5cde156ca5df9d7dd07bb0446467f2b3a
                                                  • Instruction ID: 4eb3c34cb3fb67a59051da5f9815f36ec5306bb08d61bfac317789ab33b2b3ce
                                                  • Opcode Fuzzy Hash: a2019bb0db23cca3b886adde9a3e30e5cde156ca5df9d7dd07bb0446467f2b3a
                                                  • Instruction Fuzzy Hash: D201E9B2A81308AFDB059FE0DC49CEEBBB9FB0D310B105459F642B6261DA759588DF21
                                                  Function 00D91858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D9185D
                                                    • Part of subcall function 00D9021A: __EH_prolog.LIBCMT ref: 00D9021F
                                                    • Part of subcall function 00D9062E: __EH_prolog.LIBCMT ref: 00D90633
                                                  • _CxxThrowException.MSVCRT(?,00E26010), ref: 00D91961
                                                    • Part of subcall function 00D91AA5: __EH_prolog.LIBCMT ref: 00D91AAA
                                                  Strings
                                                  • Duplicate archive path:, xrefs: 00D91A8D
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrow
                                                  • String ID: Duplicate archive path:
                                                  • API String ID: 2366012087-4000988232
                                                  • Opcode ID: 7b0896cf46bf7d8d84c7bc8a0dd28648dc67d8656a7dba2173a3620a29b27f02
                                                  • Instruction ID: 9014c0a70741d55a5053e09db9d8b1ab2bc5587e299fd4d27ab26e9b558cb49c
                                                  • Opcode Fuzzy Hash: 7b0896cf46bf7d8d84c7bc8a0dd28648dc67d8656a7dba2173a3620a29b27f02
                                                  • Instruction Fuzzy Hash: B3813635D00259DBCF25EFA8D991ADDBBB5EF08310F1081A9E41677292DB30AE45CBB0
                                                  Function 00D76C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1565 d76c72-d76c8e call e0fb10 1568 d76c96-d76c9e 1565->1568 1569 d76c90-d76c94 1565->1569 1571 d76ca6-d76cae 1568->1571 1572 d76ca0-d76ca4 1568->1572 1569->1568 1570 d76cd3-d76cdc call d78664 1569->1570 1578 d76d87-d76d92 call d788c6 1570->1578 1579 d76ce2-d76d02 call d767f0 call d72f88 call d787df 1570->1579 1571->1570 1573 d76cb0-d76cb5 1571->1573 1572->1570 1572->1571 1573->1570 1575 d76cb7-d76cce call d767f0 call d72f88 1573->1575 1592 d7715d-d7715f 1575->1592 1586 d76f4c-d76f62 call d787fa 1578->1586 1587 d76d98-d76d9e 1578->1587 1602 d76d04-d76d09 1579->1602 1603 d76d4a-d76d61 call d77b41 1579->1603 1600 d76f67-d76f74 call d785e2 1586->1600 1601 d76f64-d76f66 1586->1601 1587->1586 1591 d76da4-d76dc7 call d72e47 * 2 1587->1591 1614 d76dd4-d76dda 1591->1614 1615 d76dc9-d76dcf 1591->1615 1595 d77118-d77126 1592->1595 1610 d76f76-d76f7c 1600->1610 1611 d76fd1-d76fd8 1600->1611 1601->1600 1602->1603 1607 d76d0b-d76d38 call d79252 1602->1607 1620 d76d67-d76d6b 1603->1620 1621 d76d63-d76d65 1603->1621 1607->1603 1629 d76d3a-d76d45 1607->1629 1610->1611 1618 d76f7e-d76f8a call d76bf5 1610->1618 1616 d76fe4-d76feb 1611->1616 1617 d76fda-d76fde 1611->1617 1622 d76df1-d76df9 call d73221 1614->1622 1623 d76ddc-d76def call d72407 1614->1623 1615->1614 1626 d7701d-d77024 call d78782 1616->1626 1627 d76fed-d76ff7 call d76bf5 1616->1627 1617->1616 1624 d770e5-d770ea call d76868 1617->1624 1618->1624 1644 d76f90-d76f93 1618->1644 1631 d76d6d-d76d75 1620->1631 1632 d76d78 1620->1632 1630 d76d7a-d76d82 call d7764c 1621->1630 1635 d76dfe-d76e0b call d787df 1622->1635 1623->1622 1623->1635 1646 d770ef-d770f3 1624->1646 1626->1624 1651 d7702a-d77035 1626->1651 1627->1624 1649 d76ffd-d77000 1627->1649 1629->1592 1647 d77116 1630->1647 1631->1632 1632->1630 1655 d76e43-d76e50 call d76c72 1635->1655 1656 d76e0d-d76e10 1635->1656 1644->1624 1650 d76f99-d76fb6 call d767f0 call d72f88 1644->1650 1652 d770f5-d770f7 1646->1652 1653 d7710c 1646->1653 1647->1595 1649->1624 1657 d77006-d7701b call d767f0 1649->1657 1686 d76fc2-d76fc5 call d7717b 1650->1686 1687 d76fb8-d76fbd 1650->1687 1651->1624 1659 d7703b-d77044 call d78578 1651->1659 1652->1653 1660 d770f9-d77102 1652->1660 1654 d7710e-d77111 call d76848 1653->1654 1654->1647 1677 d76e56 1655->1677 1678 d76f3a-d76f4b call d71e40 * 2 1655->1678 1662 d76e12-d76e15 1656->1662 1663 d76e1e-d76e36 call d767f0 1656->1663 1679 d76fca-d76fcc 1657->1679 1659->1624 1676 d7704a-d77054 call d7717b 1659->1676 1660->1653 1668 d77104-d77107 call d7717b 1660->1668 1662->1655 1671 d76e17-d76e1c 1662->1671 1683 d76e58-d76e7e call d72f1c call d72e04 1663->1683 1685 d76e38-d76e41 call d72fec 1663->1685 1668->1653 1671->1655 1671->1663 1693 d77056-d7705f call d72f88 1676->1693 1694 d77064-d77097 call d72e47 call d71089 * 2 call d76868 1676->1694 1677->1683 1678->1586 1679->1654 1703 d76e83-d76e99 call d76bb5 1683->1703 1685->1683 1686->1679 1687->1686 1705 d77155-d77158 call d76848 1693->1705 1727 d770bf-d770cc call d76bf5 1694->1727 1728 d77099-d770af wcscmp 1694->1728 1711 d76ecf-d76ed1 1703->1711 1712 d76e9b-d76e9f 1703->1712 1705->1592 1714 d76f09-d76f35 call d71e40 * 2 call d76848 call d71e40 * 2 1711->1714 1715 d76ec7-d76ec9 SetLastError 1712->1715 1716 d76ea1-d76eae call d722bf 1712->1716 1714->1647 1715->1711 1725 d76ed3-d76ed9 1716->1725 1726 d76eb0-d76ec5 call d71e40 call d72e04 1716->1726 1732 d76eec-d76f07 call d731e5 1725->1732 1733 d76edb-d76ee0 1725->1733 1726->1703 1744 d770ce-d770d1 1727->1744 1745 d77129-d77133 call d767f0 1727->1745 1729 d770b1-d770b6 1728->1729 1730 d770bb 1728->1730 1736 d77147-d77154 call d72f88 call d71e40 1729->1736 1730->1727 1732->1714 1733->1732 1738 d76ee2-d76ee8 1733->1738 1736->1705 1738->1732 1750 d770d3-d770d6 1744->1750 1751 d770d8-d770e4 call d71e40 1744->1751 1761 d77135-d77138 1745->1761 1762 d7713a 1745->1762 1750->1745 1750->1751 1751->1624 1764 d77141-d77144 1761->1764 1762->1764 1764->1736
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D76C77
                                                  • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00D76EC9
                                                    • Part of subcall function 00D76C72: wcscmp.MSVCRT ref: 00D770A5
                                                    • Part of subcall function 00D76BF5: __EH_prolog.LIBCMT ref: 00D76BFA
                                                    • Part of subcall function 00D76BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00D76C1A
                                                    • Part of subcall function 00D76BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00D76C49
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                                  • String ID: :$DATA
                                                  • API String ID: 3316598575-2587938151
                                                  • Opcode ID: c256fecf84ecbed844d3f42c79230c053e176c39a11993273aa1ffa62b1fb92a
                                                  • Instruction ID: 082a0e7822d0d2d652104363b632e33e0672cec95a3bfc1d19d40b56af2772ce
                                                  • Opcode Fuzzy Hash: c256fecf84ecbed844d3f42c79230c053e176c39a11993273aa1ffa62b1fb92a
                                                  • Instruction Fuzzy Hash: 58E1D1309007099ACF25EFA4C895AEEB7B1EF15314F14C519F88E67292FB70A949CB71
                                                  Function 00D86FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D86FCA
                                                    • Part of subcall function 00D86E71: __EH_prolog.LIBCMT ref: 00D86E76
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                                  • API String ID: 3519838083-394804653
                                                  • Opcode ID: 7e41d7938b44d2a6735596ccab939af1007daf9389ec420dd411e6163af0b67d
                                                  • Instruction ID: ea6abfb1c8511093854ccd0f04275499eb4705036cd4e099e39102636e52ae84
                                                  • Opcode Fuzzy Hash: 7e41d7938b44d2a6735596ccab939af1007daf9389ec420dd411e6163af0b67d
                                                  • Instruction Fuzzy Hash: 9B4194729097449BCF21EFA48490AEEFBF5EF55340F68446EE086A3601D631EE45C771
                                                  Function 00DA84A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$H_prolog
                                                  • String ID: =
                                                  • API String ID: 2614055831-2525689732
                                                  • Opcode ID: b4aba51893beaad1d080e80115e2abc98eeed47cce40dbcead4519ea1cbe64fc
                                                  • Instruction ID: 1a34b366bddca5446d0d96b6058e5dc10c1250c0a43295decb2b1e9d1506f25b
                                                  • Opcode Fuzzy Hash: b4aba51893beaad1d080e80115e2abc98eeed47cce40dbcead4519ea1cbe64fc
                                                  • Instruction Fuzzy Hash: DB218E32904118ABCF09EB94D942AEDBBB5EF48310F20402AF80572191EF715E45DBB1
                                                  Function 00DBBDB5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DBBDBA
                                                    • Part of subcall function 00DBBE69: __EH_prolog.LIBCMT ref: 00DBBE6E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $0$D
                                                  • API String ID: 3519838083-1102854553
                                                  • Opcode ID: ee3c8e0dedafffe3407fada1df077bff6f1f2dd80be90afebeb53a5b4445dc01
                                                  • Instruction ID: edd49d0b9460021233af5ba2c4fe62e5f2167955bb798a9f10368d65754dbd06
                                                  • Opcode Fuzzy Hash: ee3c8e0dedafffe3407fada1df077bff6f1f2dd80be90afebeb53a5b4445dc01
                                                  • Instruction Fuzzy Hash: 1511F3B0601750DFC320DF59C1896C6FBE0FF58304F54D8AEA4AA67712C3B0A648CB60
                                                  Function 00DA8341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DA8346
                                                  • fputs.MSVCRT ref: 00DA835B
                                                  • fputs.MSVCRT ref: 00DA8364
                                                    • Part of subcall function 00DA83BF: __EH_prolog.LIBCMT ref: 00DA83C4
                                                    • Part of subcall function 00DA83BF: fputs.MSVCRT ref: 00DA8401
                                                    • Part of subcall function 00DA83BF: fputs.MSVCRT ref: 00DA8437
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$H_prolog
                                                  • String ID: =
                                                  • API String ID: 2614055831-2525689732
                                                  • Opcode ID: 5c64bde1963119b4497ad81ffdc8e113b680011e1714c55357314cfd2cdee5e4
                                                  • Instruction ID: 062b1b0353f3a2f48e60a8cf9b16c5cdb7bbe1b5bef081c5b49f3167b981458c
                                                  • Opcode Fuzzy Hash: 5c64bde1963119b4497ad81ffdc8e113b680011e1714c55357314cfd2cdee5e4
                                                  • Instruction Fuzzy Hash: 1901A931A00004ABCF16BFA8D812AEDBF75EF85750F00801AF845A22A1DF754A95DFF1
                                                  Function 00E07DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,00D8AB57), ref: 00E07DAA
                                                  • GetLastError.KERNEL32(?,00000000,00D8AB57), ref: 00E07DBB
                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,00D8AB57), ref: 00E07DCF
                                                  • GetLastError.KERNEL32(?,00000000,00D8AB57), ref: 00E07DD9
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandleObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 1796208289-0
                                                  • Opcode ID: 9fc5683c7edbeb050a10707fa31cd8915e628670827e1ad76de565da8efd7b7c
                                                  • Instruction ID: 71cc84dc769f965caf290893fd5f869dcab0c030461002007a5508dc53c22e2b
                                                  • Opcode Fuzzy Hash: 9fc5683c7edbeb050a10707fa31cd8915e628670827e1ad76de565da8efd7b7c
                                                  • Instruction Fuzzy Hash: 23F0FE71B082025BEB206EBE9C84B766698AF573B8B305725E5A1F21D4DA60EC849620
                                                  Function 00DA5883 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(00E32938), ref: 00DA588B
                                                  • LeaveCriticalSection.KERNEL32(00E32938), ref: 00DA58BC
                                                    • Part of subcall function 00DAC911: GetTickCount.KERNEL32 ref: 00DAC926
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$CountEnterLeaveTick
                                                  • String ID: v$8)
                                                  • API String ID: 1056156058-810098605
                                                  • Opcode ID: 880f0c76cf1832e0d7ef058f5709ee1f5b8da0daa27d5bd0f7c1c81a8414d489
                                                  • Instruction ID: 83690b1b96abdba5133a15a7156cac852281755308781ab8a37c202c84212edc
                                                  • Opcode Fuzzy Hash: 880f0c76cf1832e0d7ef058f5709ee1f5b8da0daa27d5bd0f7c1c81a8414d489
                                                  • Instruction Fuzzy Hash: 0EE032756092109FC304DF19E808E8A3BA5AFD9321F0654AEF0059B3A2CB30C848CAB1
                                                  Function 00D92096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D9209B
                                                    • Part of subcall function 00D7757D: GetLastError.KERNEL32(00D7D14C), ref: 00D7757D
                                                    • Part of subcall function 00D92C6C: __EH_prolog.LIBCMT ref: 00D92C71
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ErrorLastfree
                                                  • String ID: Cannot find archive file$The item is a directory
                                                  • API String ID: 683690243-1569138187
                                                  • Opcode ID: 2a9798f589f318129e55d69244f7d23b6ef62a71159dab5e2e5b88cc0fd711aa
                                                  • Instruction ID: b6c4023ddcc2f73c0653ffef2f4581a6d79fc20bb6fe390fd2d69448207cf9e7
                                                  • Opcode Fuzzy Hash: 2a9798f589f318129e55d69244f7d23b6ef62a71159dab5e2e5b88cc0fd711aa
                                                  • Instruction Fuzzy Hash: 22721574D00258EFCF25DFA8C884BEDBBB5AF59304F14809AE859A7252D7709A81CF61
                                                  Function 00DAC911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CountTickfputs
                                                  • String ID: .
                                                  • API String ID: 290905099-4150638102
                                                  • Opcode ID: 93ebb34cfd6b7e8de2e00b6582d5cd68e523b778472c581f5963583563207766
                                                  • Instruction ID: 3dd233e375037497ca12bf13f1a4af89191639d38bfa5843e6abe0e3f7c35e2b
                                                  • Opcode Fuzzy Hash: 93ebb34cfd6b7e8de2e00b6582d5cd68e523b778472c581f5963583563207766
                                                  • Instruction Fuzzy Hash: 26715A30610B449FCB25EF68C981AAAB7F6EF82310F04981DE09B97641EB71B945CB31
                                                  Function 00DB08B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D79C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00D79CB3
                                                    • Part of subcall function 00D79C8F: GetProcAddress.KERNEL32(00000000), ref: 00D79CBA
                                                    • Part of subcall function 00D79C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00D79CC8
                                                  • __aulldiv.LIBCMT ref: 00DB093F
                                                  • __aulldiv.LIBCMT ref: 00DB094B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                                  • String ID: 3333
                                                  • API String ID: 3520896023-2924271548
                                                  • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                                  • Instruction ID: 18953a231f8a3f761ef05364cb177709eb5702160610af5a56ba08adbc59a172
                                                  • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                                  • Instruction Fuzzy Hash: D2216AB1900704AFE730DF698881A5FFAFDFB84750F14892EF186D7641D67099448B75
                                                  Function 00D9A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  • memset.MSVCRT ref: 00D9AEBA
                                                  • memset.MSVCRT ref: 00D9AECD
                                                    • Part of subcall function 00DB04D2: _CxxThrowException.MSVCRT(?,00E24A58), ref: 00DB04F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memset$ExceptionThrowfree
                                                  • String ID: Split
                                                  • API String ID: 1404239998-1882502421
                                                  • Opcode ID: 4cbf498eb0094fdefe1acf8ed4aab683cf79d1c9077cd79a5edf37efc68054ab
                                                  • Instruction ID: 314f5cde83346cadf51cfdc010a06cb147cdee70cb7ab19fd426d0e799cb4828
                                                  • Opcode Fuzzy Hash: 4cbf498eb0094fdefe1acf8ed4aab683cf79d1c9077cd79a5edf37efc68054ab
                                                  • Instruction Fuzzy Hash: 87425B35A00259DFDF25DBA8C984BADBBB1FF05304F184099E449A7251DB31AE85CF72
                                                  Function 00D7759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D7759F
                                                    • Part of subcall function 00D7764C: CloseHandle.KERNELBASE(00000000,?,00D775AF,00000002,?,00000000,00000000), ref: 00D77657
                                                  • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 00D775E5
                                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00D77626
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CreateFile$CloseH_prologHandle
                                                  • String ID:
                                                  • API String ID: 449569272-0
                                                  • Opcode ID: 881833fc925b66cf7fdd74bf799b0584c73895cfb9623c6ecd849b0bf88db497
                                                  • Instruction ID: ee36fa2b883e07cee7db294be8b9720014d65171079b5bf6c473dc2eb35807b5
                                                  • Opcode Fuzzy Hash: 881833fc925b66cf7fdd74bf799b0584c73895cfb9623c6ecd849b0bf88db497
                                                  • Instruction Fuzzy Hash: 5311B47280020AEFCF11AFA4CC408EEBB7AFF04354B14C929F964561A1D7318DA1DB60
                                                  Function 00DA83BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • fputs.MSVCRT ref: 00DA8437
                                                  • fputs.MSVCRT ref: 00DA8401
                                                    • Part of subcall function 00D71FB3: __EH_prolog.LIBCMT ref: 00D71FB8
                                                  • __EH_prolog.LIBCMT ref: 00DA83C4
                                                    • Part of subcall function 00D71FA0: fputc.MSVCRT ref: 00D71FA7
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologfputs$fputc
                                                  • String ID:
                                                  • API String ID: 678540050-0
                                                  • Opcode ID: 9495cbec02cca78df09df740536c2b58242dde69c34fe9e29c909465a5785154
                                                  • Instruction ID: 44913b8f50d8a36d82efb53f91aed4d9608b0853a5b95db4f789454a207cf18b
                                                  • Opcode Fuzzy Hash: 9495cbec02cca78df09df740536c2b58242dde69c34fe9e29c909465a5785154
                                                  • Instruction Fuzzy Hash: 93110236F041049BCB09BBB4D813AAEBB76EF85750F008029F506A2291EF6558458AF4
                                                  Function 00D77731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,00D777DB,?,?,00000000,?,00D77832,?), ref: 00D77773
                                                  • GetLastError.KERNEL32(?,00D777DB,?,?,00000000,?,00D77832,?,?,?,?,00000000), ref: 00D77780
                                                  • SetLastError.KERNEL32(00000000,?,?,00D777DB,?,?,00000000,?,00D77832,?,?,?,?,00000000), ref: 00D77797
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: bdaf9f54b3bf51de35ac8dc2e6da8ea83ed72a59e88a1c58388c1cd198c18346
                                                  • Instruction ID: 60d7a066e0d3b9bd87d518be11c617f26a5369afc6ab565df6ba26ce3163a3d4
                                                  • Opcode Fuzzy Hash: bdaf9f54b3bf51de35ac8dc2e6da8ea83ed72a59e88a1c58388c1cd198c18346
                                                  • Instruction Fuzzy Hash: 5B119D31604305AFEF158F68CC45BEE37F5AB08324F24C829F85A97291E7B09D559B60
                                                  Function 00D75A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D75A91
                                                  • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00D75AB7
                                                  • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00D75AEC
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile$H_prolog
                                                  • String ID:
                                                  • API String ID: 3790360811-0
                                                  • Opcode ID: 1b42d6abd012862e26cf34289f8ceabee77ba84b42b67fd0a8109f6c0678f2c2
                                                  • Instruction ID: eb4af56bb67977b0d64383b22dc912c3fc870bd892af9f82573d21b8c0bb3fb1
                                                  • Opcode Fuzzy Hash: 1b42d6abd012862e26cf34289f8ceabee77ba84b42b67fd0a8109f6c0678f2c2
                                                  • Instruction Fuzzy Hash: AE01F532E00215ABCF15ABA4A8816FEB775EF40350F28C526EC19A3191EB758C11EA71
                                                  Function 00D85BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D85BEF
                                                    • Part of subcall function 00D854C0: __EH_prolog.LIBCMT ref: 00D854C5
                                                    • Part of subcall function 00D85630: __EH_prolog.LIBCMT ref: 00D85635
                                                    • Part of subcall function 00D936EA: __EH_prolog.LIBCMT ref: 00D936EF
                                                    • Part of subcall function 00D857C1: __EH_prolog.LIBCMT ref: 00D857C6
                                                    • Part of subcall function 00D858BE: __EH_prolog.LIBCMT ref: 00D858C3
                                                  Strings
                                                  • Cannot seek to begin of file, xrefs: 00D8610F
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: Cannot seek to begin of file
                                                  • API String ID: 3519838083-2298593816
                                                  • Opcode ID: 9857664ba41ec398f2f328989e2ca16a01623ada72d5d22bfdf28f113e8d1156
                                                  • Instruction ID: f6d7b54248154e395f97ab1cf901b4dc3a0a6c542df34c88c65da142aeb9eab1
                                                  • Opcode Fuzzy Hash: 9857664ba41ec398f2f328989e2ca16a01623ada72d5d22bfdf28f113e8d1156
                                                  • Instruction Fuzzy Hash: 7D12D2319047499FDF26EFA4C884BEEBBB5EF04314F18445DE48667292DB70AA84CB71
                                                  Function 00DB4E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DB4E8F
                                                    • Part of subcall function 00D7965D: VariantClear.OLEAUT32(?), ref: 00D7967F
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ClearH_prologVariantfree
                                                  • String ID: file
                                                  • API String ID: 904627215-2359244304
                                                  • Opcode ID: c0d0dcd778584f80963562c8eda42f6da8c5e8e3472eb480f990ba63794d654c
                                                  • Instruction ID: eae267dfdbbaf844f73a2c9338d325796c083787dd2a807a8d31eaef5fabe6a9
                                                  • Opcode Fuzzy Hash: c0d0dcd778584f80963562c8eda42f6da8c5e8e3472eb480f990ba63794d654c
                                                  • Instruction Fuzzy Hash: 56125134900249DFCF15EFA8D941AEDBBB6EF44340F248168F80AAB252DB719E45CB70
                                                  Function 00D92CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D92CE0
                                                    • Part of subcall function 00D75E10: __EH_prolog.LIBCMT ref: 00D75E15
                                                    • Part of subcall function 00D841EC: _CxxThrowException.MSVCRT(?,00E24A58), ref: 00D8421A
                                                    • Part of subcall function 00D7965D: VariantClear.OLEAUT32(?), ref: 00D7967F
                                                  Strings
                                                  • Cannot create output directory, xrefs: 00D93070
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ClearExceptionThrowVariant
                                                  • String ID: Cannot create output directory
                                                  • API String ID: 814188403-1181934277
                                                  • Opcode ID: c4d4f62093d275a1219ed3340b0db344f7d0d917fa819f5479b30289ec4fbdb0
                                                  • Instruction ID: c44460dbe7c665e4dd80f8652b0ea9821c17c50aafc113ee2eec0e1b71d8ed9d
                                                  • Opcode Fuzzy Hash: c4d4f62093d275a1219ed3340b0db344f7d0d917fa819f5479b30289ec4fbdb0
                                                  • Instruction Fuzzy Hash: 1BF18E30905289AFCF25EFA4C891AEDBBB5FF19300F184199F44967252EB309E45CB71
                                                  Function 00DAC7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • fputs.MSVCRT ref: 00DAC840
                                                    • Part of subcall function 00D725CB: _CxxThrowException.MSVCRT(?,00E24A58), ref: 00D725ED
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrowfputs
                                                  • String ID:
                                                  • API String ID: 1334390793-399585960
                                                  • Opcode ID: a9b6a960d20ed778c3b977d3c34a64621403c7dc53868d7069fd23c17de2126b
                                                  • Instruction ID: 2bd32af36d221fa24819d375087e86667a4ee50e56f8fd7ea27c598bcb632478
                                                  • Opcode Fuzzy Hash: a9b6a960d20ed778c3b977d3c34a64621403c7dc53868d7069fd23c17de2126b
                                                  • Instruction Fuzzy Hash: 7411D0716047449FDB15CF58C8C1BAABBE6FF4A314F04846EE1468B240C7B5A804C7A0
                                                  Function 00DA6086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID: Open
                                                  • API String ID: 1795875747-71445658
                                                  • Opcode ID: d28563ea0722d9f27cb33e3c61645e12c872315278adf9e20394f188e93c4966
                                                  • Instruction ID: b01353e4e97929d0a8d2793c62251b143af0b2c6b3fda6d6f2ea880a78053e90
                                                  • Opcode Fuzzy Hash: d28563ea0722d9f27cb33e3c61645e12c872315278adf9e20394f188e93c4966
                                                  • Instruction Fuzzy Hash: 5211A032105744DFC720EF74D991ADABBE5EF55310F54852EE19A83212EB31A844CFB0
                                                  Function 00D858BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D858C3
                                                    • Part of subcall function 00D76C72: __EH_prolog.LIBCMT ref: 00D76C77
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: ce844a397eee2f47f398d18aabdfd0e8dd3b71f9d290a3528fa80a8ac0788a6e
                                                  • Instruction ID: 0bdaf1e95d3a22ac0033ea5a991bd20ff28f368963ccba6786ee906902b23fce
                                                  • Opcode Fuzzy Hash: ce844a397eee2f47f398d18aabdfd0e8dd3b71f9d290a3528fa80a8ac0788a6e
                                                  • Instruction Fuzzy Hash: BD91D2359005059FCF25FFA8E881AEEBBB2EF54340F148169F846A7255EB31AD44CB71
                                                  Function 00DC06AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DC06B3
                                                  • _CxxThrowException.MSVCRT(?,00E2D480), ref: 00DC08F2
                                                    • Part of subcall function 00D71E0C: malloc.MSVCRT ref: 00D71E1F
                                                    • Part of subcall function 00D71E0C: _CxxThrowException.MSVCRT(?,00E24B28), ref: 00D71E39
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrow$H_prologmalloc
                                                  • String ID:
                                                  • API String ID: 3044594480-0
                                                  • Opcode ID: 5845d40707ae940366d0dbca04b7572a02aa3458634035c3def825450e72cfdd
                                                  • Instruction ID: eacd34b2e90d14334cae747e53cee4c364f70b6149cc63f1574c95ba78b669d3
                                                  • Opcode Fuzzy Hash: 5845d40707ae940366d0dbca04b7572a02aa3458634035c3def825450e72cfdd
                                                  • Instruction Fuzzy Hash: 78913974900259DFCF21EFA8C881AEEBBB5EF09304F148199E459A7252D730AE45CF71
                                                  Function 00D87190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 5476728f596256c880623f5808562e32314c7b878b156eb22e66c25425fdb5c7
                                                  • Instruction ID: 1cd43d93a7274fcad643039791fcdcbfc6ed9f115671e7e6ff5ece3f9c99c5ae
                                                  • Opcode Fuzzy Hash: 5476728f596256c880623f5808562e32314c7b878b156eb22e66c25425fdb5c7
                                                  • Instruction Fuzzy Hash: 1A518E71508B40EFDB25EF64C490AEABBF5BF55300F28889DE4D65B612C730E984DB61
                                                  Function 00D97B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D97B4D
                                                  • memcpy.MSVCRT(00000000,00E327DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00D97C65
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologmemcpy
                                                  • String ID:
                                                  • API String ID: 2991061955-0
                                                  • Opcode ID: ccb38cd1efd2fd796137f45018d764b3108b600a837a839b02f2d97e95478c73
                                                  • Instruction ID: d272cb71b281521ea73895755242bdeb2fb213db09d73c93ff555b48187bd0af
                                                  • Opcode Fuzzy Hash: ccb38cd1efd2fd796137f45018d764b3108b600a837a839b02f2d97e95478c73
                                                  • Instruction Fuzzy Hash: DA415871A142199BCF24EFA4C991AEEBBF4FF04304F144529E456B7292DB31AE09CB71
                                                  Function 00DC1511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DC1516
                                                    • Part of subcall function 00DC10D3: __EH_prolog.LIBCMT ref: 00DC10D8
                                                  • _CxxThrowException.MSVCRT(?,00E2D480), ref: 00DC1561
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrow
                                                  • String ID:
                                                  • API String ID: 2366012087-0
                                                  • Opcode ID: ac62a5917e5c54ea769343af3bebadcff1e97ce6edc8ad0be36d25738573423c
                                                  • Instruction ID: 2cd811f7ec97bec7ea874b822b7f164908fe9b54eb1b98391b7fbc613530f0c6
                                                  • Opcode Fuzzy Hash: ac62a5917e5c54ea769343af3bebadcff1e97ce6edc8ad0be36d25738573423c
                                                  • Instruction Fuzzy Hash: 0301F236500259AEDF119F94C815FEE7FB8EF86350F04415EF4456B252C3B5A9A18BB0
                                                  Function 00DA57FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DA5800
                                                  • fputs.MSVCRT ref: 00DA5830
                                                    • Part of subcall function 00D71FA0: fputc.MSVCRT ref: 00D71FA7
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologfputcfputsfree
                                                  • String ID:
                                                  • API String ID: 195749403-0
                                                  • Opcode ID: 8a17c20c6b68234d80735b514d9e26c4e671bd172497f548ff4f877ae4380e60
                                                  • Instruction ID: 057b8e56cdebd3a63c950d0954011ac07f054c1c2438847746e38819175bad57
                                                  • Opcode Fuzzy Hash: 8a17c20c6b68234d80735b514d9e26c4e671bd172497f548ff4f877ae4380e60
                                                  • Instruction Fuzzy Hash: E4F05E32900514DFCB16BBA4E4027EEBBB1FF05750F10842AF505A25A1DB345995CBA4
                                                  Function 00DAB5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs$fputc
                                                  • String ID:
                                                  • API String ID: 1185151155-0
                                                  • Opcode ID: 4d3992eca946ad36f460085a1eda9817a094855a7c1ddf3df07398b1b940757c
                                                  • Instruction ID: 71891909a1a351f30f94d07b9fe7ce7373795fd6a214adc551b5a14ed2d4d950
                                                  • Opcode Fuzzy Hash: 4d3992eca946ad36f460085a1eda9817a094855a7c1ddf3df07398b1b940757c
                                                  • Instruction Fuzzy Hash: C7E0C2377491106F96266B59BC018943BE6DFCA371339402FE640E32A1AF133D1E5AB4
                                                  Function 00D7950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 00D7952C
                                                  • _CxxThrowException.MSVCRT(?,00E255B8), ref: 00D7954A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AllocExceptionStringThrow
                                                  • String ID:
                                                  • API String ID: 3773818493-0
                                                  • Opcode ID: 90f1f9088f9e694ff743750417cef2ac2a1ee87239030ed97755bc2e4376ea12
                                                  • Instruction ID: 97911991ed20580cbd114ca3a46fe27c83d85207279a23d857dba6c4277be1fd
                                                  • Opcode Fuzzy Hash: 90f1f9088f9e694ff743750417cef2ac2a1ee87239030ed97755bc2e4376ea12
                                                  • Instruction Fuzzy Hash: A5F06D72250314AFC710EFA9D856D86BBECEF04380740C42AF909DB210EB74E844CBA0
                                                  Function 00E07E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast_beginthreadex
                                                  • String ID:
                                                  • API String ID: 4034172046-0
                                                  • Opcode ID: cddb846cd8ca64bfe81501026845f09eff06071359c1e6d832b1c8157a3592a0
                                                  • Instruction ID: afc5e8bc482d886e516b127f6ad85b2b8adce86e3b386cd5d54ab8c67ab421a4
                                                  • Opcode Fuzzy Hash: cddb846cd8ca64bfe81501026845f09eff06071359c1e6d832b1c8157a3592a0
                                                  • Instruction Fuzzy Hash: A1E08CB26492026AE3109B60CC06FA77298ABA0B44F50846DFA85E61C0E6609D41C3A1
                                                  Function 00D79C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32(?,?,00D79C6E), ref: 00D79C52
                                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D79C59
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: Process$AffinityCurrentMask
                                                  • String ID:
                                                  • API String ID: 1231390398-0
                                                  • Opcode ID: 821f2a8cf47c5d4a6fdaab5257254a374ff9b084a43a8768fbbf7a192efe60a3
                                                  • Instruction ID: 5683761bd605bc4a2f50fc21b89e8df2d46dbfa26a0a5338cffc1ef25140391a
                                                  • Opcode Fuzzy Hash: 821f2a8cf47c5d4a6fdaab5257254a374ff9b084a43a8768fbbf7a192efe60a3
                                                  • Instruction Fuzzy Hash: 3BB092B2480100EFCE009FA19D0CCA63B2CAB082053208684B109D2010C636C1498B64
                                                  Function 00D7B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 00D7B843
                                                  • GetLastError.KERNEL32 ref: 00D7B8AA
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastmemcpy
                                                  • String ID:
                                                  • API String ID: 2523627151-0
                                                  • Opcode ID: fd739b30e08a93db7351867bd53e40dd95fe9cbd594f463e5e052747d1b96834
                                                  • Instruction ID: ff8d53464ecc8e61a1e77008cd57cd18ee6df7dbc51e31cd4f215e9643bef5d4
                                                  • Opcode Fuzzy Hash: fd739b30e08a93db7351867bd53e40dd95fe9cbd594f463e5e052747d1b96834
                                                  • Instruction Fuzzy Hash: 0E812D716007059FDB68CE25C98076AB7F6FF44324F588A2FD98A87A40E730F945CB61
                                                  Function 00D71E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionThrowmalloc
                                                  • String ID:
                                                  • API String ID: 2436765578-0
                                                  • Opcode ID: fc08b1839ea7fa758ef14b2720db6e156f4c690336a86589647e432b55c12195
                                                  • Instruction ID: b5b67f1bafb88f6544e22eb9ae9ff12b2fb5d44ed6c660b738dd84df916179f9
                                                  • Opcode Fuzzy Hash: fc08b1839ea7fa758ef14b2720db6e156f4c690336a86589647e432b55c12195
                                                  • Instruction Fuzzy Hash: 90E0C23414024CBECF10AFA0D8047D83FA85F00355F04E015FC0CAE141D670C7D48B50
                                                  Function 00DBB05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: f6fac4d389671f2f16fbe3874f091cc17cef79b6592b27221720e24220801f0f
                                                  • Instruction ID: b4cda10fafc1a13c7e740b5434fd5168446ace7ae87e93fd1add633dbbafc102
                                                  • Opcode Fuzzy Hash: f6fac4d389671f2f16fbe3874f091cc17cef79b6592b27221720e24220801f0f
                                                  • Instruction Fuzzy Hash: 43527F30900249DFDF11CFA8C594BEDBBB5AF49314F28409AE846AB291DBB5DE45CB31
                                                  Function 00D86305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: ea141c2cf03ba193d0458c19dd639cf0916604f4904dd32e0dbf2dc9c6c3f0c8
                                                  • Instruction ID: 665da9a1265f82ce3e8a749e07c87593a9f9af446f5f448447a462c85c00573b
                                                  • Opcode Fuzzy Hash: ea141c2cf03ba193d0458c19dd639cf0916604f4904dd32e0dbf2dc9c6c3f0c8
                                                  • Instruction Fuzzy Hash: 44F1CD70504785DFCF21EF64C490AAABBE1BF15314F5888AEE49A9B611E730ED84CB71
                                                  Function 00DC10D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 7a31c60e968bd7e811e2795633c3edcc837cbc6469236b126d7808b251fb3f9b
                                                  • Instruction ID: 77b48c5b8358bc8ce0e359ad97f160030186fb25f9c8a03d7ee4bad72bae785a
                                                  • Opcode Fuzzy Hash: 7a31c60e968bd7e811e2795633c3edcc837cbc6469236b126d7808b251fb3f9b
                                                  • Instruction Fuzzy Hash: 9ED17D74A007969FDF28CFA4C880BEEBBF1BF4A304F14462DE45597652D775A844CBA0
                                                  Function 00DBCF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DBCF96
                                                    • Part of subcall function 00DC1511: __EH_prolog.LIBCMT ref: 00DC1516
                                                    • Part of subcall function 00DC1511: _CxxThrowException.MSVCRT(?,00E2D480), ref: 00DC1561
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrow
                                                  • String ID:
                                                  • API String ID: 2366012087-0
                                                  • Opcode ID: 9cc20fe9070d0728a135eaa81dbb5944ac2b32d8e858bd4b4db66638df83a8ef
                                                  • Instruction ID: 30e3d45fa23f53d20994fa83620cb0ced824afa07751e934c2ee8b313e172a70
                                                  • Opcode Fuzzy Hash: 9cc20fe9070d0728a135eaa81dbb5944ac2b32d8e858bd4b4db66638df83a8ef
                                                  • Instruction Fuzzy Hash: A1516C70900289DFCB11DFA8C8C8BEEBBB5AF49304F1844AEE45A97242D7719E45DB31
                                                  Function 00DAF784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 7b3eb58ea34ff3ebe4cae59aca8d6a54ab7245e932b14706f39fe33c6122aa5c
                                                  • Instruction ID: f7e0610978fab5567dd3ae677aaab322f7361e22ee57a5875348903d14d86c1e
                                                  • Opcode Fuzzy Hash: 7b3eb58ea34ff3ebe4cae59aca8d6a54ab7245e932b14706f39fe33c6122aa5c
                                                  • Instruction Fuzzy Hash: B5515DB4A00606DFCB14DFA4C4809AAFBB2FF4A344B1449ADD592AB750D331E906CFA0
                                                  Function 00DBAD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 5e59a01126b11ad951302ebced9ddf22b6cec9f6d3370b821e872c28c44aaec5
                                                  • Instruction ID: 15b51dc0895b4717f9ca2ae7a40f1a1bdbd21c310026482e8852e68a29726a02
                                                  • Opcode Fuzzy Hash: 5e59a01126b11ad951302ebced9ddf22b6cec9f6d3370b821e872c28c44aaec5
                                                  • Instruction Fuzzy Hash: 6F41A070A00746EFDB24CF58C484BAABBE0BF44310F188A6DE49787691D770ED81CB61
                                                  Function 00D84250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D84255
                                                    • Part of subcall function 00D8440B: __EH_prolog.LIBCMT ref: 00D84410
                                                    • Part of subcall function 00D71E0C: malloc.MSVCRT ref: 00D71E1F
                                                    • Part of subcall function 00D71E0C: _CxxThrowException.MSVCRT(?,00E24B28), ref: 00D71E39
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrowmalloc
                                                  • String ID:
                                                  • API String ID: 3744649731-0
                                                  • Opcode ID: e55f563fd94554013eb5f71099664489a005f95ebdca8af79a0b7825119f6657
                                                  • Instruction ID: 0ec765c4d78d6695fa6a93afc279585829770f346e3bc436dd992cc34f1e2dc4
                                                  • Opcode Fuzzy Hash: e55f563fd94554013eb5f71099664489a005f95ebdca8af79a0b7825119f6657
                                                  • Instruction Fuzzy Hash: 135103B0805B84CFC325DF69C1856DAFBF0BF19304F9488AEC09E97652D7B4A648CB61
                                                  Function 00D9D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D9D0E6
                                                    • Part of subcall function 00D71E0C: malloc.MSVCRT ref: 00D71E1F
                                                    • Part of subcall function 00D71E0C: _CxxThrowException.MSVCRT(?,00E24B28), ref: 00D71E39
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ExceptionH_prologThrowmalloc
                                                  • String ID:
                                                  • API String ID: 3978722251-0
                                                  • Opcode ID: 37a29431860c3ee2cbce4abf9badfdb07d53900e7f1026ecf2a8f674642dd546
                                                  • Instruction ID: bfed359fca554effe1698ba612082f02b5611dd6f28d45f950a14a8f6bb4a8bc
                                                  • Opcode Fuzzy Hash: 37a29431860c3ee2cbce4abf9badfdb07d53900e7f1026ecf2a8f674642dd546
                                                  • Instruction Fuzzy Hash: F6419172A003559FCF14DBA8C9457AEBBB5FF45710F244599E446E7282CB709D40CBB0
                                                  Function 00D87FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D87FCA
                                                    • Part of subcall function 00D7950D: SysAllocStringLen.OLEAUT32(?,?), ref: 00D7952C
                                                    • Part of subcall function 00D7950D: _CxxThrowException.MSVCRT(?,00E255B8), ref: 00D7954A
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AllocExceptionH_prologStringThrow
                                                  • String ID:
                                                  • API String ID: 1940201546-0
                                                  • Opcode ID: 9309db3d7ec75e24ec2ac77e80df3d12aa233dba8465f01bf96271decbd06455
                                                  • Instruction ID: 7a2a52e146a5700507384af116598997c4139b4e3d470984ca323c27ff6c3265
                                                  • Opcode Fuzzy Hash: 9309db3d7ec75e24ec2ac77e80df3d12aa233dba8465f01bf96271decbd06455
                                                  • Instruction Fuzzy Hash: B3314C728201499ACF19BBA4C8619FEB770FF14314F948129E016B71A2EE359A08EB71
                                                  Function 00DAADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DAADBC
                                                    • Part of subcall function 00DAAD29: __EH_prolog.LIBCMT ref: 00DAAD2E
                                                    • Part of subcall function 00DAAF2D: __EH_prolog.LIBCMT ref: 00DAAF32
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: b92ed9ad20f377ba6273c1a56c69444bb8a983c84b4ff61dd6cc3d1dc444b55e
                                                  • Instruction ID: 3d0f8023b4703ea8b99c07c6e353b0e7e78193f86cfddcc7512cc6d527eda6ee
                                                  • Opcode Fuzzy Hash: b92ed9ad20f377ba6273c1a56c69444bb8a983c84b4ff61dd6cc3d1dc444b55e
                                                  • Instruction Fuzzy Hash: 0941BB7144ABC0DEC326DF7881556D6FFE0AF26200F94C99ED4EA43652D670A60CC776
                                                  Function 00D9062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 531034c16267eefdc05e7eea8abf7eeb8a0b370b1d8c503fd49cf0cbb8c4f8e7
                                                  • Instruction ID: d608f189a2be7409078a85d783460c9a851429d06a940431c05c75bc9ec25b83
                                                  • Opcode Fuzzy Hash: 531034c16267eefdc05e7eea8abf7eeb8a0b370b1d8c503fd49cf0cbb8c4f8e7
                                                  • Instruction Fuzzy Hash: 8031F7B5900209DFCF14EF95E8918AEBFB5FF94364B20811EE426A7251C7309E51CBB0
                                                  Function 00D998F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D998F7
                                                    • Part of subcall function 00D99987: __EH_prolog.LIBCMT ref: 00D9998C
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 4bdbc1fe4fd476930ce0740d121233764647c9dc9d76a29c8374df13b7adccb2
                                                  • Instruction ID: b0991fb9fa2da75a87ffd3a34b172ed5fab10b98169cf0567ad91b7f28c9fac6
                                                  • Opcode Fuzzy Hash: 4bdbc1fe4fd476930ce0740d121233764647c9dc9d76a29c8374df13b7adccb2
                                                  • Instruction Fuzzy Hash: C6113A35600205AFDF14CF59C894BAAB3A9FF89350F18995CF856DB2A1CB31E800CF60
                                                  Function 00D9021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D9021F
                                                    • Part of subcall function 00D83D66: __EH_prolog.LIBCMT ref: 00D83D6B
                                                    • Part of subcall function 00D83D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83D7D
                                                    • Part of subcall function 00D83D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83D94
                                                    • Part of subcall function 00D83D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00D83DB6
                                                    • Part of subcall function 00D83D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83DCB
                                                    • Part of subcall function 00D83D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83DD5
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 1532160333-0
                                                  • Opcode ID: 5748c7fc22b02dea00dbb20e10df630ee531b010730e3c81803841d8b7af09f6
                                                  • Instruction ID: e99040c90c8e5cd5bd6b9c17df10580671d2d7f380f7028edd490d7d4b8d9c06
                                                  • Opcode Fuzzy Hash: 5748c7fc22b02dea00dbb20e10df630ee531b010730e3c81803841d8b7af09f6
                                                  • Instruction Fuzzy Hash: ED214AB1846B90CFC331DF6A82D1686FFF4BB19600B94996EC0DA93B12C374A548CF65
                                                  Function 00D91C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D91C74
                                                    • Part of subcall function 00D76C72: __EH_prolog.LIBCMT ref: 00D76C77
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: da8faeb8cf98581f4d66de2d1bdb94a4bbe056f67ceb5883c82c762633df9519
                                                  • Instruction ID: c01dce1fcbfe6c72fa3360f5272885fa7b5a2519b56e0b17abba5f4ec8e7fc75
                                                  • Opcode Fuzzy Hash: da8faeb8cf98581f4d66de2d1bdb94a4bbe056f67ceb5883c82c762633df9519
                                                  • Instruction Fuzzy Hash: 2611C035A002059BCF19FBE4C952BEDBB75EF44354F048028F84A73292EF615D46CAB0
                                                  Function 00D87E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D87E5F
                                                    • Part of subcall function 00D76C72: __EH_prolog.LIBCMT ref: 00D76C77
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                    • Part of subcall function 00D7757D: GetLastError.KERNEL32(00D7D14C), ref: 00D7757D
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ErrorLastfree
                                                  • String ID:
                                                  • API String ID: 683690243-0
                                                  • Opcode ID: b587bd516497669eaf2234f3c0a05e6dbf26cc442741d27a89f42cac6cc38772
                                                  • Instruction ID: a315d71770f3d9317e1ddf0d4eeb6638997c937fe694e323ce18ea1397cfc9ce
                                                  • Opcode Fuzzy Hash: b587bd516497669eaf2234f3c0a05e6dbf26cc442741d27a89f42cac6cc38772
                                                  • Instruction Fuzzy Hash: 6A01E572A447409FC721FF74C4929DABBB1EF45310B10862EF88653591DA30A948CB70
                                                  Function 00DBBF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DBBF91
                                                    • Part of subcall function 00DBD144: __EH_prolog.LIBCMT ref: 00DBD149
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: 28751a318212a2729ac421a6996383b30a28ed89d1ff793e8436647a079f93ae
                                                  • Instruction ID: 29e5ed27ee54b154e4c8b431b88117dc06ffcfacf0d996e2977e9470d5a6373d
                                                  • Opcode Fuzzy Hash: 28751a318212a2729ac421a6996383b30a28ed89d1ff793e8436647a079f93ae
                                                  • Instruction Fuzzy Hash: F6114C70510724DBC724EF64D906BCABBF4FF14344F008A5DB4ABA2591D7B1AA04CBA0
                                                  Function 00D77AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00D71AD1,00000000,00000002,00000002,?,00D77B3E,?,00000000), ref: 00D77AFD
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileTime
                                                  • String ID:
                                                  • API String ID: 1425588814-0
                                                  • Opcode ID: a4c69888e9b9cc2f709f9baee009900e227b8623b3ce0c68251fbbebca54e0c8
                                                  • Instruction ID: c37d8b062b6d6e22de365ee3609a2147871e58bb2ca8ab2e5796e860e57c9492
                                                  • Opcode Fuzzy Hash: a4c69888e9b9cc2f709f9baee009900e227b8623b3ce0c68251fbbebca54e0c8
                                                  • Instruction Fuzzy Hash: AE018F30104248BFDF268F54CC09BEE3FA5DB05320F14C549B9AA522E1D6609E64D760
                                                  Function 00DAACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DAC0B8
                                                    • Part of subcall function 00D97193: __EH_prolog.LIBCMT ref: 00D97198
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: 41b47521d9cd9328a4b1d74e068371fe2d177d6ac29ccf7d70c41ab4c7b6b176
                                                  • Instruction ID: 4a1e739cf3bd4cbc240128f12fcb1fe274847109212d6c9732b04ed5a8258734
                                                  • Opcode Fuzzy Hash: 41b47521d9cd9328a4b1d74e068371fe2d177d6ac29ccf7d70c41ab4c7b6b176
                                                  • Instruction Fuzzy Hash: B3F0E972910321DBD7259F49E8427AEF3A9EF55770F14512FF402A7602CBB1DC508AB4
                                                  Function 00DB035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DB0364
                                                    • Part of subcall function 00DB01C4: __EH_prolog.LIBCMT ref: 00DB01C9
                                                    • Part of subcall function 00DB0143: __EH_prolog.LIBCMT ref: 00DB0148
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                    • Part of subcall function 00DB03D8: __EH_prolog.LIBCMT ref: 00DB03DD
                                                    • Part of subcall function 00DB004A: __EH_prolog.LIBCMT ref: 00DB004F
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$free
                                                  • String ID:
                                                  • API String ID: 2654054672-0
                                                  • Opcode ID: 0e13c329d7edc76152ec632ad5ad688163c5473c8341d7a5c1444074fe53622d
                                                  • Instruction ID: d7a81769e4ca038d7afaca9b99fc97b0abcf30f1ec4a8efdad2a84b7c3e3f408
                                                  • Opcode Fuzzy Hash: 0e13c329d7edc76152ec632ad5ad688163c5473c8341d7a5c1444074fe53622d
                                                  • Instruction Fuzzy Hash: 3CF0D130914B60DACB19FB68D4227DEBBE4EF00714F10469DF456622D2CBB45B048B74
                                                  Function 00DA8565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 3cd304531ee82b6164706811270efcffe281515317e15bd91a7faf0fa302c1ee
                                                  • Instruction ID: 1184b218caf5be8e0141f560ce850d7147c20183991f98bbd904e9fbf398272b
                                                  • Opcode Fuzzy Hash: 3cd304531ee82b6164706811270efcffe281515317e15bd91a7faf0fa302c1ee
                                                  • Instruction Fuzzy Hash: 86F0C232E0001AEBCB10EF98C8408EFFB75FF89750B00855AF815E7250CB348A01CBA0
                                                  Function 00DB5505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DB550A
                                                    • Part of subcall function 00DB4E8A: __EH_prolog.LIBCMT ref: 00DB4E8F
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: b7ff61ae9d5cffce87c33c6b44d31281f9f3364cd2b5dec3a85fbfb85349169c
                                                  • Instruction ID: 94b4a27fb9533d1ba12d2edbae20f9bdc87ad62f458cb4225133ebca1cffdef8
                                                  • Opcode Fuzzy Hash: b7ff61ae9d5cffce87c33c6b44d31281f9f3364cd2b5dec3a85fbfb85349169c
                                                  • Instruction Fuzzy Hash: F1F06D76600914EBCB159F48E811BDE7BBAFF84761F10452AF412A7241DB71DD118BB0
                                                  Function 00D99987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: ff27762e7827554b44f2055a00270382544d1555665a0b0cb87b193d1321fd8c
                                                  • Instruction ID: 7b61756b9f3cc4120dc48ccb51e29433bf3d3fe9d4ba203d94df4ea374da66e0
                                                  • Opcode Fuzzy Hash: ff27762e7827554b44f2055a00270382544d1555665a0b0cb87b193d1321fd8c
                                                  • Instruction Fuzzy Hash: 9DE06D71600104EFC710EF98D855F9ABBA8FF48350F10881EF00A97241C7749950CA60
                                                  Function 00DB5E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DB5E30
                                                    • Part of subcall function 00DB08B6: __aulldiv.LIBCMT ref: 00DB093F
                                                    • Part of subcall function 00D8DFC9: __EH_prolog.LIBCMT ref: 00D8DFCE
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$__aulldiv
                                                  • String ID:
                                                  • API String ID: 604474441-0
                                                  • Opcode ID: b5fa935386bba3e6ad1dd8c2216300fe7542c0a56f2ff0b09e6da3fc722f7223
                                                  • Instruction ID: cf1a045336a58a575afdbcc30bf01bc07dc1b0c9ac9b9b6e96d3b8073c0025f3
                                                  • Opcode Fuzzy Hash: b5fa935386bba3e6ad1dd8c2216300fe7542c0a56f2ff0b09e6da3fc722f7223
                                                  • Instruction Fuzzy Hash: 2CE03970A00760DFC755EFA8914128EBBE4FF08700F00586EA047E3B81DAB4AA008BA0
                                                  Function 00DB8ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DB8ED6
                                                    • Part of subcall function 00DB9267: __EH_prolog.LIBCMT ref: 00DB926C
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: eec6b7f86f5f11b6e05db91f53f2900fc9937dbd7be946c897174d01dcd1c5d3
                                                  • Instruction ID: d1e3768c70f0447be914d55b9ab77bad4bb33cb769a8e6a29c7ade344f357b8b
                                                  • Opcode Fuzzy Hash: eec6b7f86f5f11b6e05db91f53f2900fc9937dbd7be946c897174d01dcd1c5d3
                                                  • Instruction Fuzzy Hash: ADE09271D10560DAC71DEB64E522BDDF7A8EF04704F80065DA003A2582CBB46644CBA5
                                                  Function 00D77C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00D77C8B
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: dc314a246e7f8282fffabd3d0dcb2924a8e773f3143c610d2dc7fd240460114e
                                                  • Instruction ID: ec06d38e1fb9a301ca28b0e04b5252630def2a0ffd412f4b1153843e742fe6e8
                                                  • Opcode Fuzzy Hash: dc314a246e7f8282fffabd3d0dcb2924a8e773f3143c610d2dc7fd240460114e
                                                  • Instruction Fuzzy Hash: 05E06535640208FBCB01CFA1C800B8E7BB9AB09354F20C06AF818AA260D3399A10DF50
                                                  Function 00DBBE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DBBE6E
                                                    • Part of subcall function 00DB5E2B: __EH_prolog.LIBCMT ref: 00DB5E30
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 6dcc9ae5aaa5e6c2fab5382d54daa595537099c208248fd6424654cbb4593778
                                                  • Instruction ID: f8acf28da088ab69bef78f8691567bb8bf449c626f07caf996304b292384ca63
                                                  • Opcode Fuzzy Hash: 6dcc9ae5aaa5e6c2fab5382d54daa595537099c208248fd6424654cbb4593778
                                                  • Instruction Fuzzy Hash: F7E09271A24A60CBD325EB64C011BDDB7E8FB00304F00855EE097E3282CFB4AA04CBB1
                                                  Function 00D72201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID:
                                                  • API String ID: 1795875747-0
                                                  • Opcode ID: dbbbfcd533153f753d2c05f29803691e32b9c409d36f796b93f379f0e0c75aa0
                                                  • Instruction ID: e29b3e30b099718b55786de7837345bd474fd237ba66f9d413b243811e9ea267
                                                  • Opcode Fuzzy Hash: dbbbfcd533153f753d2c05f29803691e32b9c409d36f796b93f379f0e0c75aa0
                                                  • Instruction Fuzzy Hash: 4AD01232504119BBCF156F98DC05CDD77BCEF08214B10441AF545F2150EA75EA1487A4
                                                  Function 00DAF745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DAF74A
                                                    • Part of subcall function 00DAF784: __EH_prolog.LIBCMT ref: 00DAF789
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID:
                                                  • API String ID: 3519838083-0
                                                  • Opcode ID: 405828701da03e2f1e8d70b09c94d2076ad6652741486f285ad543fdafb0ce6b
                                                  • Instruction ID: 05c72ebfdf5b119594e7fc34d568d6afe11934a62f4ee25a78cc5f2288aa38ff
                                                  • Opcode Fuzzy Hash: 405828701da03e2f1e8d70b09c94d2076ad6652741486f285ad543fdafb0ce6b
                                                  • Instruction Fuzzy Hash: E4D01271A10214BFD7149B95D813BEFB778EB41755F10056EF00171181C3B559408AB4
                                                  Function 00D77B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,00D7785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00D77B65
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: fc257bce2ec52ed5e9cf157eae772bb9c3ca5d7e87f072d3bce31e5de7ef995e
                                                  • Instruction ID: 6104274a0c453fb7bc28dcd094b5bfeb5960af448c0a85f280d861d2595e2367
                                                  • Opcode Fuzzy Hash: fc257bce2ec52ed5e9cf157eae772bb9c3ca5d7e87f072d3bce31e5de7ef995e
                                                  • Instruction Fuzzy Hash: 1EE0EC75241208FFDF01CF91CC01FCE7BB9AB49754F208058E915A6160C375AA54EB50
                                                  Function 00DC80AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DC80AF
                                                    • Part of subcall function 00D71E0C: malloc.MSVCRT ref: 00D71E1F
                                                    • Part of subcall function 00D71E0C: _CxxThrowException.MSVCRT(?,00E24B28), ref: 00D71E39
                                                    • Part of subcall function 00DBBDB5: __EH_prolog.LIBCMT ref: 00DBBDBA
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrowmalloc
                                                  • String ID:
                                                  • API String ID: 3744649731-0
                                                  • Opcode ID: e8f1b7929e6a93254cfde7a02d1046fbabb73b65be8d6f4aaf36e506b563b7d7
                                                  • Instruction ID: e930e70e62bcc66bc802092ad22bcab21d45e9b8cc9f7a0ea57a5f7608d6d0c4
                                                  • Opcode Fuzzy Hash: e8f1b7929e6a93254cfde7a02d1046fbabb73b65be8d6f4aaf36e506b563b7d7
                                                  • Instruction Fuzzy Hash: F4D05E71B01102AFCB18FFB89422BAE72E0EB84300F10457EB017E3B81EF7499808A30
                                                  Function 00D76848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindClose.KERNELBASE(00000000,?,00D76880), ref: 00D76853
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: 68ae9d96e90315fc81d9970c61b8d1b9d65d0b25b610058b7d1b678decae1359
                                                  • Instruction ID: f98657888c53f9e0ed7b9fc4b67a05e8acfaaca570d32d5156f8554ea344fdac
                                                  • Opcode Fuzzy Hash: 68ae9d96e90315fc81d9970c61b8d1b9d65d0b25b610058b7d1b678decae1359
                                                  • Instruction Fuzzy Hash: ECD0123114462156CA645E3E78449C533D86F063343798759F0B4D31E2F760CC875660
                                                  Function 00D72010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID:
                                                  • API String ID: 1795875747-0
                                                  • Opcode ID: 75432d436fec62be23b1de2caabd67b20b0218e6fa7653ecdb2a1f2870b1610e
                                                  • Instruction ID: 4f2a1f69b2b9c85fa4f1a8c827072a7e1046f985cf9666ff5644e4b5585215e0
                                                  • Opcode Fuzzy Hash: 75432d436fec62be23b1de2caabd67b20b0218e6fa7653ecdb2a1f2870b1610e
                                                  • Instruction Fuzzy Hash: FCD0C936148251AF96266F06EC09C8BBBB5FFD5320721482FF480921619B626929DAB0
                                                  Function 00D71FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputc
                                                  • String ID:
                                                  • API String ID: 1992160199-0
                                                  • Opcode ID: 2f4d66098a89bc91bc512e2de3d63cae596bc164e53eae1c5c19527e7ac830b4
                                                  • Instruction ID: 15b88e92b25fcbe3149f9be9e7bbb784dade9cf31fdae6aff79e3d9eb66bfd37
                                                  • Opcode Fuzzy Hash: 2f4d66098a89bc91bc512e2de3d63cae596bc164e53eae1c5c19527e7ac830b4
                                                  • Instruction Fuzzy Hash: 39B09232389220AFE6191A9CBC0AAC067A4DB09732B21005BF944D2190DA911C814A95
                                                  Function 00D77C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileTime.KERNELBASE(?,?,?,?,00D77C65,00000000,00000000,?,00D7F238,?,?,?,?), ref: 00D77C49
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FileTime
                                                  • String ID:
                                                  • API String ID: 1425588814-0
                                                  • Opcode ID: cd36a98cdc8c3eb9d4012e4fdda96ceac36c8741826c2cd29fd8594a1bf73810
                                                  • Instruction ID: 23a1a34c3c2ebce620823a5cbfc4441348dda0b4d122f10499bd5cc4e066b58d
                                                  • Opcode Fuzzy Hash: cd36a98cdc8c3eb9d4012e4fdda96ceac36c8741826c2cd29fd8594a1bf73810
                                                  • Instruction Fuzzy Hash: E0C00236299105BE8A020F60C804C1ABBA2ABA5711F10C918B159C4070C6328024AB02
                                                  Function 00D77D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetEndOfFile.KERNELBASE(?,00D77D81,?,?,?), ref: 00D77D3E
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: File
                                                  • String ID:
                                                  • API String ID: 749574446-0
                                                  • Opcode ID: 67295b83ffe456a948709c23165dae1fcbb7e0b3fc672a225c3b799e5d538f2e
                                                  • Instruction ID: 1e3321110eef792a1e9e7bc8128d94ae5148f8652fe570ecea86cfe5c3ec0260
                                                  • Opcode Fuzzy Hash: 67295b83ffe456a948709c23165dae1fcbb7e0b3fc672a225c3b799e5d538f2e
                                                  • Instruction Fuzzy Hash: D3A002743E621B9F8F111F35DC098643AB1BB5370777067A4B003DA4F5DF22445DAA01
                                                  Function 00D7C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memmove
                                                  • String ID:
                                                  • API String ID: 2162964266-0
                                                  • Opcode ID: c1cd52ed8207a3ff7e23cf5dfb31b93f6434d99b660535669099a3cd43bb7f05
                                                  • Instruction ID: 1d373f43dccddc0c12185b9240cb239630bab76fd904697a74f306174c3d00d5
                                                  • Opcode Fuzzy Hash: c1cd52ed8207a3ff7e23cf5dfb31b93f6434d99b660535669099a3cd43bb7f05
                                                  • Instruction Fuzzy Hash: E7813C71E142499FCF14CFA8C5C4AADBBB1AF48304F18E46ED919A7251E771AA84CB60
                                                  Function 00D83E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNELBASE(00000000,00000000,00D83D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00D83E12
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: f3d5830df6987c76f588f944365d365c1b5d7c102fcaec578372848922b13983
                                                  • Instruction ID: 2241e2d7d5e5462e7ec03ffce95202986967633e8eba190d011b5ea26228611c
                                                  • Opcode Fuzzy Hash: f3d5830df6987c76f588f944365d365c1b5d7c102fcaec578372848922b13983
                                                  • Instruction Fuzzy Hash: EED0123165521157DB716E2DF8047D563DD6F10722B194559F884DB140E764CCD25B60
                                                  Function 00DF6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID:
                                                  • API String ID: 2803490479-0
                                                  • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                                  • Instruction ID: 16f0660da9b329326397cbaa435d9a38165f9b6ae138853a99c9c2862908db5e
                                                  • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                                  • Instruction Fuzzy Hash: BDD0C9A161260906DF584A34584AB7A22D42B5031AB2DC5B8E912DAA92EB19C629D268
                                                  Function 00D7764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNELBASE(00000000,?,00D775AF,00000002,?,00000000,00000000), ref: 00D77657
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID:
                                                  • API String ID: 2962429428-0
                                                  • Opcode ID: 1365715d0d94a42c457d6ec16bcf88a873e9e61dab7dc7aec173e53e98a24fa8
                                                  • Instruction ID: 41fbd98b47129b7dbf21131b5278443c1bdbc2881dc80941c3f5ce23f85aa836
                                                  • Opcode Fuzzy Hash: 1365715d0d94a42c457d6ec16bcf88a873e9e61dab7dc7aec173e53e98a24fa8
                                                  • Instruction Fuzzy Hash: 41D0123124962256CAA41E3C78459CA33D86B127343754B59F0B4D32E9E3608C874660
                                                  Function 00DF6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(00000000), ref: 00DF6B31
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 6a29c7ba24ef161532d8c3357cc798a968c79c7b2df4217faabe0812c665c641
                                                  • Instruction ID: 62214708b22b5937715b81c467f3fc4cc6ec66d0b2700472348cb2eff2e75457
                                                  • Opcode Fuzzy Hash: 6a29c7ba24ef161532d8c3357cc798a968c79c7b2df4217faabe0812c665c641
                                                  • Instruction Fuzzy Hash: 79C08CE1A8D280DFDF0217108C407A03B208B87300F0A00C1E404AB092C204180CC722
                                                  Function 00DF69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID:
                                                  • API String ID: 2803490479-0
                                                  • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                                  • Instruction ID: 711c230f2b48661db2e5ad05f11b7f1cb06d52c0b23f2c185582db0fe917c325
                                                  • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                                  • Instruction Fuzzy Hash: 5FA024C551104001DD3C11303C015371040135030F7C454FCF501D0503F715C11C1015
                                                  Function 00DF6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID:
                                                  • API String ID: 2803490479-0
                                                  • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                                  • Instruction ID: d9f16bbb2b7b2236352a5f597e65e1427b5b8e14635f48d3948988a8482d7e04
                                                  • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                                  • Instruction Fuzzy Hash: 8CA012CCE0014001DD1410343801523205222E06097D8C474A40060506FA14C0182012
                                                  Function 00DF6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00DF6BAC
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: FreeVirtual
                                                  • String ID:
                                                  • API String ID: 1263568516-0
                                                  • Opcode ID: 8c85a4c2ad1f400c2f351a5175bcaf85b6e5d39de50c5f24f0d9c8e5e7e290f2
                                                  • Instruction ID: 463bacdbe90d1f76b69bfbfa8df1ea2b88b202c33e1f6c84292c01af1627127d
                                                  • Opcode Fuzzy Hash: 8c85a4c2ad1f400c2f351a5175bcaf85b6e5d39de50c5f24f0d9c8e5e7e290f2
                                                  • Instruction Fuzzy Hash: 68A002B86C0700BBED60AB316D4FF9937247784F05F30C5447241B90D09AE470489A5C
                                                  Function 00DF69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                                  • Instruction ID: ced29605b571d3e80c43d6dfa2c426546d511b8e7761a7022752089a5b4ec14a
                                                  • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                                  • Instruction Fuzzy Hash:
                                                  Function 00DF6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                                  • Instruction ID: bf825b77adad7c74bb0819651412533cde91ec140525f700d1e5880fe4c3b1b8
                                                  • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                                  • Instruction Fuzzy Hash:
                                                  Function 00D71E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: free
                                                  • String ID:
                                                  • API String ID: 1294909896-0
                                                  • Opcode ID: a4f650309246b53becfb3e3db823e27f3f42878d1fb03d19614518cfa77ef9a5
                                                  • Instruction ID: 6775299032d5d1da0512bf23c92a1c0f6c37ce517d1238c0e1c01a401d55f15d
                                                  • Opcode Fuzzy Hash: a4f650309246b53becfb3e3db823e27f3f42878d1fb03d19614518cfa77ef9a5
                                                  • Instruction Fuzzy Hash: B6A00271586111EFDA051F11ED094C97B71EB89627B318459F457A0471CB314868BA01

                                                  Non-executed Functions

                                                  Function 00E10090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: Version
                                                  • String ID:
                                                  • API String ID: 1889659487-0
                                                  • Opcode ID: 6155ae13a6362bcfa119998ce26bf31a0373f5ee47e76af64dae2ad493c9360e
                                                  • Instruction ID: 98cc2278c1276cacdb9ee012cfd8f7c2bf6259364b55a6493535ea8ea988f717
                                                  • Opcode Fuzzy Hash: 6155ae13a6362bcfa119998ce26bf31a0373f5ee47e76af64dae2ad493c9360e
                                                  • Instruction Fuzzy Hash: 6BD0127291140547D740762CC9062D977A1F760300FC85994E865D1157F9A9CAD58292
                                                  Function 00D7C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,00E248A0,00000010), ref: 00D7C09E
                                                  • memcmp.MSVCRT(?,00E20258,00000010), ref: 00D7C0BB
                                                  • memcmp.MSVCRT(?,00E20348,00000010), ref: 00D7C0CE
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: c06d4e65f35f9c77d4998d05b7704865acfb7f36eec38f65aca579a69cd144cd
                                                  • Instruction ID: 3782bcda9fdca41b16ae838a90a3f58b8920c2a3e5f565ec8b994cc2c645a1a2
                                                  • Opcode Fuzzy Hash: c06d4e65f35f9c77d4998d05b7704865acfb7f36eec38f65aca579a69cd144cd
                                                  • Instruction Fuzzy Hash: 3F915D71650710AFE7649B21DC42FAB73A8AB65750B04E12CFD8EE7642F720EE44C7A4
                                                  Function 00DD447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                                  • API String ID: 3519838083-1909666238
                                                  • Opcode ID: f978c194e3a67de5bdc09b3ef289f9a94ae9f3e3d4dcc6b2eb14a8d93d23030e
                                                  • Instruction ID: 3266e087c8b170a3c61aa789660fda95ede471dd5b3b55f61737d38d639be38d
                                                  • Opcode Fuzzy Hash: f978c194e3a67de5bdc09b3ef289f9a94ae9f3e3d4dcc6b2eb14a8d93d23030e
                                                  • Instruction Fuzzy Hash: 99C1AD319002C5AFCB19DF64D851AFD7BA1EB01350F5980AAE0896B362EB319E45EB71
                                                  Function 00D764F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D764F8
                                                  • GetCurrentThreadId.KERNEL32 ref: 00D76508
                                                  • GetTickCount.KERNEL32 ref: 00D76513
                                                  • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00D7651E
                                                  • GetTickCount.KERNEL32 ref: 00D76578
                                                  • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 00D765C5
                                                  • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00D765EC
                                                    • Part of subcall function 00D75D7A: __EH_prolog.LIBCMT ref: 00D75D7F
                                                    • Part of subcall function 00D75D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00D75DA1
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                                  • String ID: .tmp$d
                                                  • API String ID: 1989517917-2797371523
                                                  • Opcode ID: 9ff6fec92e1fbb522cda99a1e735c4265ed8a2fbaed8d6e4629de2d00df940b4
                                                  • Instruction ID: 182f380714f4e5623975badf663ce571632e8c1ae4524adc435b5e7d838a490e
                                                  • Opcode Fuzzy Hash: 9ff6fec92e1fbb522cda99a1e735c4265ed8a2fbaed8d6e4629de2d00df940b4
                                                  • Instruction Fuzzy Hash: 9941ED32A505249FCF15AFA4D8057EC77B0FF15314F248129E80AB61A1FB34C804DA31
                                                  Function 00DA6244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prologfputs
                                                  • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                                  • API String ID: 1798449854-1259944392
                                                  • Opcode ID: d4c0b68f859d40ed5329174c28d13b41f51493139677dc03e85cb44f3e13a5e0
                                                  • Instruction ID: c56311230d17f8ae709b8b0f6503bf0e548e8f94ee34bbe486e14444a01fbc29
                                                  • Opcode Fuzzy Hash: d4c0b68f859d40ed5329174c28d13b41f51493139677dc03e85cb44f3e13a5e0
                                                  • Instruction Fuzzy Hash: 47217132A00604DFCB15EBA4C442AEEB7B4FF55310B444429F546E76A2DB70ED468BF4
                                                  Function 00DCC44E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DCC453
                                                    • Part of subcall function 00DCC1DF: __EH_prolog.LIBCMT ref: 00DCC1E4
                                                    • Part of subcall function 00DCC543: __EH_prolog.LIBCMT ref: 00DCC548
                                                    • Part of subcall function 00D71E0C: malloc.MSVCRT ref: 00D71E1F
                                                    • Part of subcall function 00D71E0C: _CxxThrowException.MSVCRT(?,00E24B28), ref: 00D71E39
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$ExceptionThrowmalloc
                                                  • String ID: (($<($<($L($\(
                                                  • API String ID: 3744649731-3236170738
                                                  • Opcode ID: b00a35f4cbe156b9e89680b356d1f639973dcc04b4ebbff4eb186019f98e3c3f
                                                  • Instruction ID: 12483c3fe87d0b4d464da8f4c3a7431c59cc6ef02f229542a0252f63359a0398
                                                  • Opcode Fuzzy Hash: b00a35f4cbe156b9e89680b356d1f639973dcc04b4ebbff4eb186019f98e3c3f
                                                  • Instruction Fuzzy Hash: 0021D0B0911740DEC728DF6AC44A69BFBF4FF90300F10991ED19AA7711DBB0A648CB60
                                                  Function 00D7A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D7A091
                                                    • Part of subcall function 00D79BAA: RegCloseKey.ADVAPI32(?,?,00D79BA0), ref: 00D79BB6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CloseH_prolog
                                                  • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                                  • API String ID: 1579395594-270022386
                                                  • Opcode ID: 548890c9671bd5198b3c0055d53a53c9ff4ed53368eff05b11ddbce77a823459
                                                  • Instruction ID: 1dc2008ddd071a99f58a9272f06b568b1a35fcc4e180371ef868c5cb0e3d3672
                                                  • Opcode Fuzzy Hash: 548890c9671bd5198b3c0055d53a53c9ff4ed53368eff05b11ddbce77a823459
                                                  • Instruction Fuzzy Hash: 3251A271A403459FDB20EF98C8929EEB7B5FF98300F54842DE51AB7281EB709945CB72
                                                  Function 00DA6025 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DA602A
                                                  • EnterCriticalSection.KERNEL32(00E32938), ref: 00DA6044
                                                  • LeaveCriticalSection.KERNEL32(00E32938), ref: 00DA6060
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: CriticalSection$EnterH_prologLeave
                                                  • String ID: v$8)
                                                  • API String ID: 367238759-810098605
                                                  • Opcode ID: eae7bb783275b7271c2f2392183a5ce31dfa84c80a1b5ed54c3f905fd6c1ca89
                                                  • Instruction ID: 8e1ebdae4bd5cb92d6d04278d28f47a96075faa82e0a300e276d0a0aa7b55640
                                                  • Opcode Fuzzy Hash: eae7bb783275b7271c2f2392183a5ce31dfa84c80a1b5ed54c3f905fd6c1ca89
                                                  • Instruction Fuzzy Hash: 68F03A76900114EFC701DF98D909ADEBBB8FF89350F14906AF545E7251C7B5DA44CBA0
                                                  Function 00DD03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00DD03F5
                                                  • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00DD0490
                                                  • memset.MSVCRT ref: 00DD0618
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memset$memcpy
                                                  • String ID: $@
                                                  • API String ID: 368790112-1077428164
                                                  • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                                  • Instruction ID: 2dbb0ace5e2c07a6a32972edbab825476910d06a11a91e9be813f18b7d4a004d
                                                  • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                                  • Instruction Fuzzy Hash: DF919130900709AFEB20DF24C841BDABBB1EF94314F14855AE59A57692D770FA99CFB0
                                                  Function 00D7613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D76141
                                                    • Part of subcall function 00D76C72: __EH_prolog.LIBCMT ref: 00D76C77
                                                  • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00D76197
                                                  • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00D7626E
                                                  • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 00D762A9
                                                    • Part of subcall function 00D76096: __EH_prolog.LIBCMT ref: 00D7609B
                                                    • Part of subcall function 00D76096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00D760DF
                                                  • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00D76285
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$H_prolog$DeleteFile
                                                  • String ID:
                                                  • API String ID: 3586524497-0
                                                  • Opcode ID: 2ace8af3271b3d3dede2ed2c609222dd4baee69ea19eef7b7116190af9bd6c9d
                                                  • Instruction ID: 0ff326926fd4674461a50cf0c6d2200bd67dbb308a31e86da8af33db48524d2a
                                                  • Opcode Fuzzy Hash: 2ace8af3271b3d3dede2ed2c609222dd4baee69ea19eef7b7116190af9bd6c9d
                                                  • Instruction Fuzzy Hash: B9519831C04628AADF15EBA8D845BEDBB74EF15340F14C159E85973192FB34AA0ACB71
                                                  Function 00D844C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,00E248A0,00000010), ref: 00D844DB
                                                  • memcmp.MSVCRT(?,00E20128,00000010), ref: 00D844EE
                                                  • memcmp.MSVCRT(?,00E20228,00000010), ref: 00D8450B
                                                  • memcmp.MSVCRT(?,00E20248,00000010), ref: 00D84528
                                                  • memcmp.MSVCRT(?,00E201C8,00000010), ref: 00D84545
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: f5d28337d05d3860527ea40bc32ca4410523c66084d79ca29fea3a462bf18df4
                                                  • Instruction ID: c1c0e731faf516d358a04df8f174377445d11e4aac95691e298f309eaf6452b3
                                                  • Opcode Fuzzy Hash: f5d28337d05d3860527ea40bc32ca4410523c66084d79ca29fea3a462bf18df4
                                                  • Instruction Fuzzy Hash: 5D2192B2740309ABE718EE24DC82F7E73EC9B507A4F048179FD45AA286F674DD5087A0
                                                  Function 00D7A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D7A389
                                                    • Part of subcall function 00D7A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,00D7A3C1,00000001), ref: 00D7A4CD
                                                    • Part of subcall function 00D7A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00D7A4DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AddressH_prologHandleModuleProc
                                                  • String ID: : $ SP:$Windows
                                                  • API String ID: 786088110-3655538264
                                                  • Opcode ID: b985896e54ff33bc19d89cd8fda1d6cbf7bc85c9dc4b80faff72ee12e3b95114
                                                  • Instruction ID: 6f2c65985f092b346e0168e5eae243d41a56dc5e9edc63d812963e5dc8592ba9
                                                  • Opcode Fuzzy Hash: b985896e54ff33bc19d89cd8fda1d6cbf7bc85c9dc4b80faff72ee12e3b95114
                                                  • Instruction Fuzzy Hash: 4C31EA319002599ACF15EBA4C8929FEBBB4FF54300F44806AE60A72191FB725A85CEB1
                                                  Function 00D7A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,00D7A3C1,00000001), ref: 00D7A4CD
                                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00D7A4DD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: RtlGetVersion$ntdll.dll
                                                  • API String ID: 1646373207-1489217083
                                                  • Opcode ID: a01591653716e89c3bb48d268d03c8aefc5cb91c250df182a4d9d9cde8ed24e1
                                                  • Instruction ID: e757eebcab97a8ad301160d428ee7836f4c7f378469d195b19e38db134859188
                                                  • Opcode Fuzzy Hash: a01591653716e89c3bb48d268d03c8aefc5cb91c250df182a4d9d9cde8ed24e1
                                                  • Instruction Fuzzy Hash: 49D0A7313D93102EB6206AB93C0EBEA125D9B80B50715C416F808E0080F6C49DC200B1
                                                  Function 00D90306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00D90359
                                                  • GetLastError.KERNEL32(?,?,00000000,?), ref: 00D90382
                                                  • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 00D903DA
                                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 00D903F0
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ErrorFileLastSecurity
                                                  • String ID:
                                                  • API String ID: 555121230-0
                                                  • Opcode ID: 546dfe6bc27890f94ce09c1d6f30bbaa56630a0a369c2b1c25e9e7a061ed03a7
                                                  • Instruction ID: e632d19b08e61af4e6f4a0fc1316a244d831f578c711a15ca148c55cce4be257
                                                  • Opcode Fuzzy Hash: 546dfe6bc27890f94ce09c1d6f30bbaa56630a0a369c2b1c25e9e7a061ed03a7
                                                  • Instruction Fuzzy Hash: 00318C74A00209EFDF10DFA4D880BAEBBB5FF48304F148959E566E7251D770AE45DB60
                                                  Function 00D782FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D78300
                                                  • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00D7834F
                                                  • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00D7837C
                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00D7839B
                                                    • Part of subcall function 00D71E40: free.MSVCRT ref: 00D71E44
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                                  • String ID:
                                                  • API String ID: 1689166341-0
                                                  • Opcode ID: 68aed7744899e32288839e371f37812a30500c6a3599e82f2754573d1d22c1b5
                                                  • Instruction ID: 8c4ade5c993d38c7831cdc60829fd6bf0e06eed53d43862ba9ff8d90f8c06f0a
                                                  • Opcode Fuzzy Hash: 68aed7744899e32288839e371f37812a30500c6a3599e82f2754573d1d22c1b5
                                                  • Instruction Fuzzy Hash: 5821D6B2640104AFDF21AF98DC85AEE7BB9EF54740F24802DF848B6291DA314E44DA70
                                                  Function 00DB60D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: BlockPackSize$BlockUnpackSize
                                                  • API String ID: 3519838083-5494122
                                                  • Opcode ID: fba3082bc38cdabfc509ba18b781fd3c96f17a10c0747cf0ca2c7ef944107d72
                                                  • Instruction ID: 85a46ed61e627363f4816ebf46dbd7d305baf83f71692e60b58d2a63baab2fb3
                                                  • Opcode Fuzzy Hash: fba3082bc38cdabfc509ba18b781fd3c96f17a10c0747cf0ca2c7ef944107d72
                                                  • Instruction Fuzzy Hash: 3E51C671C00685DEEF39CB6488A1AFDBBB1AF26310F1C805ED09B56191DA29DD88D739
                                                  Function 00D7A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00D7A4F8
                                                    • Part of subcall function 00D7A384: __EH_prolog.LIBCMT ref: 00D7A389
                                                    • Part of subcall function 00D79E14: GetSystemInfo.KERNEL32(?), ref: 00D79E36
                                                    • Part of subcall function 00D79E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00D79E50
                                                    • Part of subcall function 00D79E14: GetProcAddress.KERNEL32(00000000), ref: 00D79E57
                                                  • strcmp.MSVCRT ref: 00D7A564
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                                  • String ID: -
                                                  • API String ID: 2798778560-3695764949
                                                  • Opcode ID: e551b0a1b203a4a50e83b2ea4e14b3217ace13e5dc4e8c9cd8f30200954efa52
                                                  • Instruction ID: f2f2f65dc80a41c3931b9a61ca9573bf22da22980f9bc71c96979fc045ddeca9
                                                  • Opcode Fuzzy Hash: e551b0a1b203a4a50e83b2ea4e14b3217ace13e5dc4e8c9cd8f30200954efa52
                                                  • Instruction Fuzzy Hash: C0317A31D012599BCF19FBE8D8929EDB7B5EF54310F14802AF80972191FB315E45CA72
                                                  Function 00DA6184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: 0$x
                                                  • API String ID: 3519838083-1948001322
                                                  • Opcode ID: 28cdcd5d5019f9ff4ef9a9b2d9b2eb77b6c7561d374fa7a2253a0c5467a23611
                                                  • Instruction ID: 6f4aaff3ab3d3aabc13543ac425c549310d5cdd999ae0be74a1910207c4af639
                                                  • Opcode Fuzzy Hash: 28cdcd5d5019f9ff4ef9a9b2d9b2eb77b6c7561d374fa7a2253a0c5467a23611
                                                  • Instruction Fuzzy Hash: 55218E36D01269DBCF08EB98C992AEDB7B5FF49304F24012AE80577281EB755E44CBB1
                                                  Function 00DD4034 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • __EH_prolog.LIBCMT ref: 00DD4039
                                                    • Part of subcall function 00DD40BA: __EH_prolog.LIBCMT ref: 00DD40BF
                                                    • Part of subcall function 00DB5E2B: __EH_prolog.LIBCMT ref: 00DB5E30
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: H_prolog
                                                  • String ID: D.$T.
                                                  • API String ID: 3519838083-2450083918
                                                  • Opcode ID: c2c11c26938d7c8510996947905e045042c11e2025a13937fd19dc37a8239f5b
                                                  • Instruction ID: 063864c2d530125ab206883a02021c95f763e6e47e856d2c7ba17b3d098e9174
                                                  • Opcode Fuzzy Hash: c2c11c26938d7c8510996947905e045042c11e2025a13937fd19dc37a8239f5b
                                                  • Instruction Fuzzy Hash: 67012CB0A11710EFC724DF64D4062DABBF4EF48700F10991EE4AAA3741DBB0A648CFA1
                                                  Function 00DA82DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID: =
                                                  • API String ID: 1795875747-2525689732
                                                  • Opcode ID: 08a65c8237be855c718ecbe52e80fb051cd7c6735e4fbf813fad22dc03d9f420
                                                  • Instruction ID: a1a50828aacbf2cd4ab8b1e9ba3c47952acad122acfa7e36be1f2a41952cad3f
                                                  • Opcode Fuzzy Hash: 08a65c8237be855c718ecbe52e80fb051cd7c6735e4fbf813fad22dc03d9f420
                                                  • Instruction Fuzzy Hash: EEE0DF35A00214ABCF04ABED9C418FE7B79FB843147100822E815E7200FA70D929DBF0
                                                  Function 00DAC2AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: fputs
                                                  • String ID: Unsupported Windows version$p&
                                                  • API String ID: 1795875747-3101385492
                                                  • Opcode ID: 1e1a2ec99bf748b23220cbed7482e6dfaf5a6871ad840741cc2fbe8acdf30a9a
                                                  • Instruction ID: 55f31cb093f225dee75e9abb8d54d9b11a967b8396767670c4e851958653e0ea
                                                  • Opcode Fuzzy Hash: 1e1a2ec99bf748b23220cbed7482e6dfaf5a6871ad840741cc2fbe8acdf30a9a
                                                  • Instruction Fuzzy Hash: 93D0A733784200EFD7054F89F446B943770E388720F20445BE103D5190D775A1058A10
                                                  Function 00DD41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT(?,00E248A0,00000010), ref: 00DD41D6
                                                  • memcmp.MSVCRT(?,00E20168,00000010), ref: 00DD41F1
                                                  • memcmp.MSVCRT(?,00E201E8,00000010), ref: 00DD4205
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.1720081883.0000000000D71000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00D70000, based on PE: true
                                                  • Associated: 00000008.00000002.1720050519.0000000000D70000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720178191.0000000000E1C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720224270.0000000000E32000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                  • Associated: 00000008.00000002.1720260799.0000000000E3B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_d70000_7zr.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID:
                                                  • API String ID: 1475443563-0
                                                  • Opcode ID: d55dff8656bb857c548359d8075e217ad61025402573089145d37964eb0fa5a9
                                                  • Instruction ID: a9862886de2bc338ae2b4781358a3c970b4975d3d0a512c5c1d5e6f4f6cb74a3
                                                  • Opcode Fuzzy Hash: d55dff8656bb857c548359d8075e217ad61025402573089145d37964eb0fa5a9
                                                  • Instruction Fuzzy Hash: ED01613134030567E7148A149C83F6E77E89B65750F18453AFE85BB282F6B4E9A09668