Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
renamed because original name is a hash value
Original sample name:_1.1.0.exe
Analysis ID:1580549
MD5:cc4c53c634a350d8040888ff38df9e20
SHA1:1f3af1bab4b2e172c59fe165169976c20028a4fa
SHA256:13ded7ac74245dd01f80304bb56bb9f9480e20bf4a5166ed1287f5cd22f53f6a
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe (PID: 2352 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" MD5: CC4C53C634A350D8040888FF38DF9E20)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp (PID: 5660 cmdline: "C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" MD5: 6B62BAE0EB64E164C7CA6E4C80727D80)
      • powershell.exe (PID: 4324 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 2196 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe (PID: 6084 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT MD5: CC4C53C634A350D8040888FF38DF9E20)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp (PID: 2044 cmdline: "C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$20448,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT MD5: 6B62BAE0EB64E164C7CA6E4C80727D80)
          • 7zr.exe (PID: 3060 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 5480 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
          • cmd.exe (PID: 7840 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 7852 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • Conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1748 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5480 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • conhost.exe (PID: 2852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7220 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7236 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7252 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7268 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7340 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7356 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7424 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7472 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7488 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7540 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7556 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7608 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7624 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7760 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7812 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7824 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7880 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7896 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8084 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8140 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8156 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6936 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7200 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2504 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6960 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3512 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7248 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7292 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7376 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7360 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7464 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7572 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7580 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7644 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7648 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7716 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7808 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7916 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8008 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7972 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 8136 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 8132 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6940 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ParentProcessId: 5660, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4324, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1748, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5480, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ParentProcessId: 5660, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4324, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1748, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 5480, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ParentProcessId: 5660, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 4324, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeVirustotal: Detection: 8%Perma Link
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 82.0% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1703309272.0000000003680000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1703099758.0000000003480000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA6E090 FindFirstFileA,FindClose,5_2_6CA6E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00046868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00046868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00047496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00047496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649386860.0000000003160000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649755401.000000007ECBB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1651548359.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000000.1662249540.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649386860.0000000003160000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649755401.000000007ECBB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1651548359.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000000.1662249540.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8F3886
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA78810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6CA78810
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8F3C62
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA79450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6CA79450
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8F3D18
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8F3D62
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8F39CF
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8F3A6A
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F1950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C8F1950
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C8F4754
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F47545_2_6C8F4754
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CC58D125_2_6CC58D12
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CBC4F0A5_2_6CBC4F0A
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CBE38815_2_6CBE3881
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CC4B06F5_2_6CC4B06F
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA748605_2_6CA74860
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA7A1335_2_6CA7A133
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB87A465_2_6CB87A46
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CBFCB305_2_6CBFCB30
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAD9CE05_2_6CAD9CE0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB26D505_2_6CB26D50
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAABEA15_2_6CAABEA1
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB2CE805_2_6CB2CE80
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAC5EC95_2_6CAC5EC9
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB218105_2_6CB21810
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB2C9F05_2_6CB2C9F0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB3D9305_2_6CB3D930
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAAB9725_2_6CAAB972
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB24AA05_2_6CB24AA0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB37AA05_2_6CB37AA0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB20AD05_2_6CB20AD0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB22A505_2_6CB22A50
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAB3BCA5_2_6CAB3BCA
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAC3B665_2_6CAC3B66
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAC840A5_2_6CAC840A
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB255805_2_6CB25580
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB325C05_2_6CB325C0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB2C6E05_2_6CB2C6E0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAAF7CF5_2_6CAAF7CF
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB4C7005_2_6CB4C700
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB230205_2_6CB23020
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB367505_2_6CB36750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000881EC9_2_000881EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0005E00A9_2_0005E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000700A09_2_000700A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C81C09_2_000C81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D82409_2_000D8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C22E09_2_000C22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000E23009_2_000E2300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DC3C09_2_000DC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000AE49F9_2_000AE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D04C89_2_000D04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C25F09_2_000C25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000B86509_2_000B8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BA6A09_2_000BA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000B66D09_2_000B66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000909439_2_00090943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BC9509_2_000BC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DE9909_2_000DE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C2A809_2_000C2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0009AB119_2_0009AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000B8C209_2_000B8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C6CE09_2_000C6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D0E009_2_000D0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D4EA09_2_000D4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000CD0899_2_000CD089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000A10AC9_2_000A10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000AB1219_2_000AB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D11209_2_000D1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BB1809_2_000BB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C51809_2_000C5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D91C09_2_000D91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BD1D09_2_000BD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D72009_2_000D7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DD2C09_2_000DD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000CF3A09_2_000CF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000453CF9_2_000453CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DF3C09_2_000DF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0006B3E49_2_0006B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000A53F39_2_000A53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000B74109_2_000B7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000CF4209_2_000CF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DD4709_2_000DD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0008D4969_2_0008D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D54D09_2_000D54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BF5009_2_000BF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000E351A9_2_000E351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D35309_2_000D3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D15509_2_000D1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000415729_2_00041572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DF5999_2_000DF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000E36019_2_000E3601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000996529_2_00099652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000CD6A09_2_000CD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000597669_2_00059766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000D77C09_2_000D77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000497CA9_2_000497CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BF9109_2_000BF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DD9E09_2_000DD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00041AA19_2_00041AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0005BAC99_2_0005BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00093AEF9_2_00093AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C7AF09_2_000C7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C7C509_2_000C7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0005BC929_2_0005BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000BFDF09_2_000BFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C5E809_2_000C5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C5F809_2_000C5F80
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Windows NT\hrsw.vbc 34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: String function: 6CB49F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: String function: 6CAAC240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 000DFB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 000428E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00041E40 appears 84 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649386860.000000000327E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649755401.000000007EFBA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000000.1647981430.0000000000799000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@150/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA79450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6CA79450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00049313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00049313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00053D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00053D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00049252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00049252
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA78930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,5_2_6CA78930
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\is-1AVQ2.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7424:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7700:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:428:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeVirustotal: Detection: 8%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeReversingLabs: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$20448,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$20448,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic file information: File size 6351526 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1703309272.0000000003680000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1703099758.0000000003480000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_000C57D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x3437f2
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3437f2
Source: update.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: real checksum: 0x0 should be: 0x61b208
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .00cfg
Source: update.vbc.5.drStatic PE information: section name: .voltbl
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA7BDDB push ecx; ret 5_2_6CA7BDEE
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C920F00 push ss; retn 0001h5_2_6C920F0A
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB49F10 push eax; ret 5_2_6CB49F2E
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CAAE9F4 push 004AC35Ch; ret 5_2_6CAAEA0E
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB4A290 push eax; ret 5_2_6CB4A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000445F4 push 000EC35Ch; ret 9_2_0004460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DFB10 push eax; ret 9_2_000DFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000DFE90 push eax; ret 9_2_000DFEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5708Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4082Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow / User API: threadDelayed 553Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow / User API: threadDelayed 594Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow / User API: threadDelayed 522Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.3 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6552Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA6E090 FindFirstFileA,FindClose,5_2_6CA6E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00046868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00046868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00047496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00047496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00049C60 GetSystemInfo,9_2_00049C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000002.1662758502.000000000080D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\O
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1658033562.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, is-1AVQ2.tmp.5.drBinary or memory string: (qeMu
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000002.1662758502.000000000080D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}w
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6C8F3886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C8F3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA83871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CA83871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000C57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_000C57D0
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA8D425 mov eax, dword ptr fs:[00000030h]5_2_6CA8D425
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA8D456 mov eax, dword ptr fs:[00000030h]5_2_6CA8D456
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA8286D mov eax, dword ptr fs:[00000030h]5_2_6CA8286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA83871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CA83871
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CA7C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6CA7C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 5_2_6CB4A720 cpuid 5_2_6CB4A720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0004AB2A GetSystemTimeAsFileTime,9_2_0004AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_000E0090 GetVersion,9_2_000E0090
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory431
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580549 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 97 Multi AV Scanner detection for dropped file 2->97 99 Multi AV Scanner detection for submitted file 2->99 101 Found driver which could be used to inject code into processes 2->101 103 3 other signatures 2->103 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 31 other processes 2->18 process3 file4 95 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, PE32 11->95 dropped 20 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp 3 5 11->20         started        24 sc.exe 1 14->24         started        26 sc.exe 1 16->26         started        28 sc.exe 1 18->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 27 other processes 18->34 process5 file6 81 C:\Users\user\AppData\Local\...\update.vbc, PE32 20->81 dropped 83 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->83 dropped 105 Adds a directory exclusion to Windows Defender 20->105 36 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe 2 20->36         started        39 powershell.exe 23 20->39         started        42 conhost.exe 24->42         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 32->52         started        54 27 other processes 34->54 signatures7 process8 file9 85 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, PE32 36->85 dropped 56 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp 4 15 36->56         started        107 Loading BitLocker PowerShell Module 39->107 60 conhost.exe 39->60         started        62 WmiPrvSE.exe 39->62         started        signatures10 process11 file12 87 C:\Users\user\AppData\Local\...\update.vbc, PE32 56->87 dropped 89 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 56->89 dropped 91 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 56->91 dropped 93 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 56->93 dropped 109 Query firmware table information (likely to detect VMs) 56->109 111 Protects its processes via BreakOnTermination flag 56->111 113 Hides threads from debuggers 56->113 115 Contains functionality to hide a thread from the debugger 56->115 64 7zr.exe 2 56->64         started        67 cmd.exe 56->67         started        69 7zr.exe 7 56->69         started        signatures13 process14 file15 79 C:\Program Files (x86)\...\tProtect.dll, PE32+ 64->79 dropped 71 sc.exe 67->71         started        73 Conhost.exe 67->73         started        75 conhost.exe 69->75         started        process16 process17 77 conhost.exe 71->77         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe8%VirustotalBrowse
#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe13%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\_isetup\_setup64.tmp0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbc38%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649386860.0000000003160000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649755401.000000007ECBB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1651548359.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000000.1662249540.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649386860.0000000003160000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1649755401.000000007ECBB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1651548359.00000000009F1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000005.00000000.1662249540.000000000064D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580549
        Start date and time:2024-12-25 04:28:07 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 8m 46s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:112
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.0.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@150/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 103
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Excluded IPs from analysis (whitelisted): 52.149.20.212
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:28:57API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp modified
        22:29:00API Interceptor19x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.3.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.1.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                            C:\Program Files (x86)\Windows NT\hrsw.vbc#U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                              #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse

                                Created / dropped Files

                                C:\Program Files (x86)\Windows NT\7zr.exe

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):831200
                                Entropy (8bit):6.671005303304742
                                Encrypted:false
                                SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                                MD5:84DC4B92D860E8AEA55D12B1E87EA108
                                SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                                SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                                SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Joe Sandbox View:
                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Windows NT\file.dat (copy)

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):1479328
                                Entropy (8bit):7.999879236620477
                                Encrypted:true
                                SSDEEP:24576:dpVUk7xQQd/X6U3yXEVuw7AmG+slCUCZsuuAnvToXr6RiZJHMYOkRQ7Www/Pg9I4:dF73X6Ir37AmTUClZ9bjxYO1wXg9DmMn
                                MD5:03F04576ABD49BE131EC6BB04C97E830
                                SHA1:5EC5F38B2E9664EE853C9B9E08D95D1EF006EE0D
                                SHA-256:67CC858AFE160F673BDE0E8778933D6312AF5D6DC8526190E635792237A6FE07
                                SHA-512:8C1CD36278286E6349A22364E065205EAC19FC843AA0316D8B563FA4008307F7062A13D7EAF6278B8A6F11C9FC4A628FFFD15692A2080AFF782AF16466E4586B
                                Malicious:false
                                Preview:.@S.......n..............usnP}....di..*.D.......4...pj.)sED.1{}d.U....JB.i.).b\.Hi......UBZ9Ueh...L...~.,.udH.Zt.U.l....r.{..~..ymh.h6.^..........5@o.$.~i'~]1..+.g.h.$..a.R...//r.!tsI...#"].E..=A.....k........SP.`.g......M..~...W.3..".0=..-..*.V..-...4......?v...F.~6.'xI.jb..7-.@)..k.c..{.0.&.2.). ..E..].H.o?...\.XnM.>...F]...gm4E..5...S..{g....+4.J..n..#W.$...z>.|.Ss8|<}.....m...P..........U..~.ms;..o..U..e.......]/1'.-g./f...#.....7..y....m.xp...R.*.3V~!.......S|.wBRQ4-.j..M.......W.U.^b..2...UB.T.....!...q.J7.2j{o.A.I.a....8..y...Q.Z.M....4.c.$B.S ....G..pz0a(#G....U...PW.+..p8.@..>.p...X.p.t..-...JA.. ....C:..B......%..y...1..Kg...]...l.,.P..T....9.4]$..A..bD..t}.......m.%......,Q.iMl#-.|......q...?`.q.M...|.........p..pt.lj...#&.....m.@:....B.lY.....v....D..\..uC@CpR.9< +../...".....v.!.|A. ;D?*..c|.j..8./....N.g..i?ER.10e=. .!.|Q..@A.i.}a..t.....N..+..5....)..!.>..=.)....H3#n0.a.1(Ib.p.W.....v....g@4...l.D...~>.&..g.0..a6X.A..1K.k....q

                                C:\Program Files (x86)\Windows NT\hrsw.vbc

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3621376
                                Entropy (8bit):7.006090025798393
                                Encrypted:false
                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 26%
                                • Antivirus: Virustotal, Detection: 38%, Browse
                                Joe Sandbox View:
                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                C:\Program Files (x86)\Windows NT\is-1AVQ2.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:data
                                Category:dropped
                                Size (bytes):1479328
                                Entropy (8bit):7.999879236620477
                                Encrypted:true
                                SSDEEP:24576:dpVUk7xQQd/X6U3yXEVuw7AmG+slCUCZsuuAnvToXr6RiZJHMYOkRQ7Www/Pg9I4:dF73X6Ir37AmTUClZ9bjxYO1wXg9DmMn
                                MD5:03F04576ABD49BE131EC6BB04C97E830
                                SHA1:5EC5F38B2E9664EE853C9B9E08D95D1EF006EE0D
                                SHA-256:67CC858AFE160F673BDE0E8778933D6312AF5D6DC8526190E635792237A6FE07
                                SHA-512:8C1CD36278286E6349A22364E065205EAC19FC843AA0316D8B563FA4008307F7062A13D7EAF6278B8A6F11C9FC4A628FFFD15692A2080AFF782AF16466E4586B
                                Malicious:false
                                Preview:.@S.......n..............usnP}....di..*.D.......4...pj.)sED.1{}d.U....JB.i.).b\.Hi......UBZ9Ueh...L...~.,.udH.Zt.U.l....r.{..~..ymh.h6.^..........5@o.$.~i'~]1..+.g.h.$..a.R...//r.!tsI...#"].E..=A.....k........SP.`.g......M..~...W.3..".0=..-..*.V..-...4......?v...F.~6.'xI.jb..7-.@)..k.c..{.0.&.2.). ..E..].H.o?...\.XnM.>...F]...gm4E..5...S..{g....+4.J..n..#W.$...z>.|.Ss8|<}.....m...P..........U..~.ms;..o..U..e.......]/1'.-g./f...#.....7..y....m.xp...R.*.3V~!.......S|.wBRQ4-.j..M.......W.U.^b..2...UB.T.....!...q.J7.2j{o.A.I.a....8..y...Q.Z.M....4.c.$B.S ....G..pz0a(#G....U...PW.+..p8.@..>.p...X.p.t..-...JA.. ....C:..B......%..y...1..Kg...]...l.,.P..T....9.4]$..A..bD..t}.......m.%......,Q.iMl#-.|......q...?`.q.M...|.........p..pt.lj...#&.....m.@:....B.lY.....v....D..\..uC@CpR.9< +../...".....v.!.|A. ;D?*..c|.j..8./....N.g..i?ER.10e=. .!.|Q..@A.i.}a..t.....N..+..5....)..!.>..=.)....H3#n0.a.1(Ib.p.W.....v....g@4...l.D...~>.&..g.0..a6X.A..1K.k....q

                                C:\Program Files (x86)\Windows NT\locale.bin

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56530
                                Entropy (8bit):7.997132694942412
                                Encrypted:true
                                SSDEEP:1536:vsdG2eWqexddSNh8NZxxBQ3Wm2gvwzGOgfj:klSNGPQRvfOy
                                MD5:4FA297F011D88BCF2F29258E508C2430
                                SHA1:E3983636567AA3A60C618A8EB8FF34EB8A50EA39
                                SHA-256:BF23B400117543AF20E63B064B666B11600BBB86DED0799CBCAC2D96E2FBC942
                                SHA-512:13B547DEB127AAEE017015D2095D5B0A60680F44687ED8014B66F0FF158E25EC8735E59D601776EA5E51208966232C225ADAC678A493BDCEA60FAB81BADCD502
                                Malicious:false
                                Preview:.@S....+...| ...............A{.D.w|.....8....W..A.".=u.........Y*...5b*.....j.-;.`...q...=..k...&.K..&....i....){`..W8Y...3....d..P.Wy.........Z4g._%J...n...e.ZB.|...E.I...a...p...v.|.w.....a.:.,.1...Y..IX0.`J...]5....AU.C...4......l.u..X.o:...X'...........R....0.H7.D.U..?P.4P.U.}.t)0x......m.l.h...sE=.A+.20R.\.9t..(....h...<..........{.4.m ty.A....d..QxS<~.<)Q..4~..c..=Q.u..;Yj:...od......]...;....t.O]...Y.W.;..e..k<..]...s||........>B....*......4;..9..R.&.(hi...v${.0je.v..d..5.k....x.;<3...i.......}.I.....O.].@.h...~f.#.D.c.t .s.BHF.rI...~...y.xjZh=..7..W.l.{......\...9.W.*7.,..d7V.....jOO....2.J..c..*.C._a.K.k.dj.8.f3.S.q....RHf...q.P.Q.w..n.......L... .Q..O!Z.-.8o...Y......W.\...<.~;..-+!K.V.Z.....(..*.....0[6.=..DR.V(..3O.A<....o....O....i.K.Hi...............->....]...;..v.\.P."...{?......bb.........!...."...-...WL.....WN.}.X.10.j.-5!.....&\.....J...-...6....b...>.v...rJ._....Y<v..IvW.....2.M.$ts...8B... .In....&.....S..<.}....k.....

                                C:\Program Files (x86)\Windows NT\locale.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):56530
                                Entropy (8bit):7.997132694942403
                                Encrypted:true
                                SSDEEP:1536:2T8ko5BL2tRxmwRn1nUpQxrradMxi+Z8bgPO2iPf:2THRIwRn1VedMi0XPOlf
                                MD5:21705C726287510DCAC6EB71B115B02B
                                SHA1:A744FE3552C67101212A7DCB95995604245E3C50
                                SHA-256:F32DD750AF2EC280B6862ACD96B554F125B3D61AB38AA6C2A70815D73C91AC4C
                                SHA-512:A4F9AA83D29EAE3D9EFA71D6B12855A91ABD0625B199C9303C6E91CCE240161FDCFD26EC1602CF3392F24D5A53DDB4CDB5D366CF2A93ED55084689C97AE8F9B3
                                Malicious:false
                                Preview:7z..'....J~1........2.......9......t.kZ....6.BV......}~).lai.`....A..).".b.\..&..PU.{0ho..Z..z.......x..h..5:V.3.....zZ..&....?`1..uD.b6.9.{..v.../E..?...d.. S.qPE.V..=..kj+.yk..A...U.X..a.'.z....]y.b.......@.u....";}..\..)..\;.r..`.>..A...gp'.......Y.S.Y0.I...3Ol.;..E.s.l..@.....+...).L.-.y. .u~q...&..>i..|... &.9:6L4.Q.U.Y}/..dk..3.......w......Iw......O..Ub.T...n....RV........YuY9.).5.g.et./.Q...a>..W.a.Bx.X.....;..Z...<3=L9..n.38`}...E=6I....YM.........=..........tN.~..|w8.$n...z...`K./;...<...1.......x-...(...W.f..H.V...5..@M..a.a......1.Y..2.F.;/S.c;s...d0P...U..].J...=`..'...q/.m..j..H..l..@..l.".c..G.........Q......HX..j.l.a.Q..v.P..8....s+...e......r.7i.a.O]j.y].D.CL............q....\..8..ahh~o..7b..q..N...........?}.<c...X.H$.Z.;...nH..e.ce......AX~X..w{:w8e.V3d}....P..w.Y..}I..|lAM.v...uZ..*.~Z.Ip.2..S...ai..Q.S.F....A. `..#.j...SU....g..Zw.Fo...#5.2v..Y.}.%.z.i.....KU.^..;K........E|.....F.H...:..[g.....z-.9.w...).V..J......fC...

                                C:\Program Files (x86)\Windows NT\locale2.bin

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):56546
                                Entropy (8bit):7.996966859255975
                                Encrypted:true
                                SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                                MD5:CEA69F993E1CE0FB945A98BF37A66546
                                SHA1:7114365265F041DA904574D1F5876544506F89BA
                                SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                                SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                                Malicious:false
                                Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                                C:\Program Files (x86)\Windows NT\locale2.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):56546
                                Entropy (8bit):7.996966859255979
                                Encrypted:true
                                SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                                MD5:4CB8B7E557C80FC7B014133AB834A042
                                SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                                SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                                SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                                Malicious:false
                                Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                                C:\Program Files (x86)\Windows NT\locale3.bin

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):31890
                                Entropy (8bit):7.99402458740637
                                Encrypted:true
                                SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                                MD5:8622FC7228777F64A47BD6C61478ADD9
                                SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                                SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                                SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                                Malicious:false
                                Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                                C:\Program Files (x86)\Windows NT\locale3.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):31890
                                Entropy (8bit):7.99402458740637
                                Encrypted:true
                                SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                                MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                                SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                                SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                                SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                                Malicious:false
                                Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                                C:\Program Files (x86)\Windows NT\locale4.bin

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):74960
                                Entropy (8bit):7.99759370165655
                                Encrypted:true
                                SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                                MD5:950338D50B95A25F494EE74E97B7B7A9
                                SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                                SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                                SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                                Malicious:false
                                Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                                C:\Program Files (x86)\Windows NT\locale4.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):74960
                                Entropy (8bit):7.997593701656546
                                Encrypted:true
                                SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                                MD5:059BA7C31F3E227356CA5F29E4AA2508
                                SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                                SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                                SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                                Malicious:false
                                Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                                C:\Program Files (x86)\Windows NT\locale7.bin

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):29730
                                Entropy (8bit):7.994290657653607
                                Encrypted:true
                                SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                                MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                                SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                                SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                                SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                                Malicious:false
                                Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                                C:\Program Files (x86)\Windows NT\locale7.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):29730
                                Entropy (8bit):7.994290657653608
                                Encrypted:true
                                SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                                MD5:A9C8A3E00692F79E1BA9693003F85D18
                                SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                                SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                                SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                                Malicious:false
                                Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                                C:\Program Files (x86)\Windows NT\res.dat

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:7-zip archive data, version 0.4
                                Category:dropped
                                Size (bytes):1479328
                                Entropy (8bit):7.9998792366204805
                                Encrypted:true
                                SSDEEP:24576:tpM/NXd9kWh5o/bwMOakUWAQi4VUZheTuYf53orddOw0BY2Jy56R4Tkj8:twRh5AkMOaxukhGCrf2EM4TW8
                                MD5:D3DC27665B59AC814D3C6106C7AA2356
                                SHA1:B9D3AEBB0A651E5DA60DE9485460F0254290E705
                                SHA-256:82314DBDDC5E53ADE0FF5EF086D3DFB9A89D18DC53571B1FAEC0DAF2D6B09D08
                                SHA-512:C592C2EFC0600F09CE5B1C224E18108993BFB7B5EFE26954842047139562432B574314C971E66F7265AE989D6739509D0BE470668F7DF383EE4C6FD3D8339538
                                Malicious:false
                                Preview:7z..'....+Y1@.......@............lm......._..<.oQnD.r)+...ff...-o.....Li.y....i.......7)...0..........Y.Y.... ........V.?.Xi.Z........"...p..<......e5$.....N........=.!.`.'..l...I........&....)r.....Qf.'o.`..7Xo4....*..z...2f.k..x9u.u.j'....%".mB...4b4..6..6".Q.......~..V..6..=...y..G.9..H............=:....V.....]1.......jI;..h#....J).-'....c..#..]..|..s.........j.\.....0..+0..;..RcN.N.<EnY,g..p.".........Ip.6'...8o.P....<.K..3,.u,.........?..+v]X...9...arw{. ..\......)..e.9|.Ti.Q0.-r....A>..jk....N.T$]]...........z....]i...S-a.En1...M..U.z.B.t...]..8........u....5C<y....t3..]....?..e.....# .O....y....'....w..=$]F.l.m..v...........p.....B.3...n,Kr.'.....W0^...B..D+..E.. ..Q...j.........nWy.`.....L.I.H;X-.f.`..D....y=...a.D....>:..=...f]R.([..QU(.9c.4-....a..*d............1.tE..../.1.q.U..E....Cq.........`--....~..........L.'@....k..O.<..-/."GF>......2.V..h[\....p.uW.x.........M.v....m.v.....k...1(...x_S.z.XL...3.V!q.b.'m...l.A;.2...Oz.

                                C:\Program Files (x86)\Windows NT\tProtect.dll

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:PE32+ executable (native) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):63640
                                Entropy (8bit):6.482810107683822
                                Encrypted:false
                                SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                                MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                                SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                                SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                                SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 9%
                                • Antivirus: Virustotal, Detection: 6%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                                C:\Program Files (x86)\Windows NT\task.xml

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):3.3443983145211007
                                Encrypted:false
                                SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                                MD5:1E67E91688292692932CD9096EDEA2BD
                                SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                                SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                                SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                                Malicious:false
                                Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                                C:\Program Files (x86)\Windows NT\trash

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1229243
                                Entropy (8bit):7.999860759193778
                                Encrypted:true
                                SSDEEP:24576:pZ+FOmAnhJkbPlXXgSjPcqlhfZobOCwFx02g5803Njfjb/:6FOBnsrlXXRzXIbpwFc8gNrjr
                                MD5:070A2AF242B27F5022AD57DC904E0B6D
                                SHA1:0561CE09AFD76E6447CA47E291943A3842CA8323
                                SHA-256:A63DE6D658685650FFFCA20F0A5F05F803A247A00991C546599DBF5BEE11DFB1
                                SHA-512:3363BD1BD8B5B586B14C7FB07B54742F5EA2D4D8AE7033D867226A9B415D997D423601D9E85197632EDB06A90281D9EB8CF4D41E14DAF21F23859F1852D66DE9
                                Malicious:false
                                Preview:..W.K.7.r.....-..u..O.&.2\.....$...:.<p..|.....c.8i,S.#.*.....hj&.d...U.V.nr....d.....r...5..nkw.x.......u...[t..b,....&.....Z.Y....{.>...N..D[^...3.......]..*...8.+>.G....s.r.<x_.@...Toc3.C.&0....i`.".x...?..).n..:`...B.]...C..X.c.}Xt.zm.K.Y.....P{J..{..mC:".,...:.r........(..1..h...H.`..Rb.>.R=...[...j+..Le.]........T.+7!g..A...s....l....Y..>Q....h.y...V.{..Q.1.b0j"u.W. ..h.a...P..u?.1.+*X/z.dJD.K*....i..&...l.....mM....U...e....Q.......C.0.[..!.}]}[1..UA..M.z.k.O=vE.?....`..7.s@"j...V.W..@IP.z...ri....v.T.]#....S.z..0 .9g.o..B.2.;we.......*T..H....U....J.x....D..n.t.$..1.r.s.F...kb`|......2.....Hw....S.M...3J..w....C.pp.u.NM9...*?f..3.p..O-Dk..tFly#......w........(...k.4.g.K+...|W.s....1...Q.. ...)$.K.o.?]....[....3...5......K....$j.^.........4...;-..\./GF......".fo[...F.2Vi(..r.:!...........".y..a..n......W..C..."..CaT.e ...>..SxB..AH4.k.-...=....L......=.5..9....N&1....`.00.QTb.P... ./..i.|K8.7<.f<.m.;..........<..A..h...

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):1.1940658735648508
                                Encrypted:false
                                SSDEEP:3:Nlllultnxj:NllU
                                MD5:F93358E626551B46E6ED5A0A9D29BD51
                                SHA1:9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03
                                SHA-256:0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
                                SHA-512:D609B72F20BF726FD14D3F2EE91CCFB2A281FAD6BC88C083BFF7FCD177D2E59613E7E4E086DB73037E2B0B8702007C8F7524259D109AF64942F3E60BFCC49853
                                Malicious:false
                                Preview:@...e................................................@..........

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_orskrwlw.l3i.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q4uz525j.dam.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uypv3h1u.x5q.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zk3nupbd.iau.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\_isetup\_setup64.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):6144
                                Entropy (8bit):4.720366600008286
                                Encrypted:false
                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                • Antivirus: Virustotal, Detection: 0%, Browse
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\is-0C85M.tmp\update.vbc

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3621376
                                Entropy (8bit):7.006090025798393
                                Encrypted:false
                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 26%
                                • Antivirus: Virustotal, Detection: 38%, Browse
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\_isetup\_setup64.tmp

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                Category:dropped
                                Size (bytes):6144
                                Entropy (8bit):4.720366600008286
                                Encrypted:false
                                SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                Malicious:false
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 0%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\is-FTTA8.tmp\update.vbc

                                Download File
                                Process:C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3621376
                                Entropy (8bit):7.006090025798393
                                Encrypted:false
                                SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                                MD5:FCADEAE28FCC52FD286350DFEECD82E5
                                SHA1:48290AA098DEDE53C457FC774063C3198754A161
                                SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                                SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                                Malicious:true
                                Antivirus:
                                • Antivirus: ReversingLabs, Detection: 26%
                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp

                                Download File
                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3366912
                                Entropy (8bit):6.530561171048803
                                Encrypted:false
                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                MD5:6B62BAE0EB64E164C7CA6E4C80727D80
                                SHA1:B3FBB520FBC7CDBD2C9DD29F9258313837E41769
                                SHA-256:F7FEE346DE7B3D16964FBB512853CE8719CA6A9DB6017947578F1B983267C257
                                SHA-512:2A7404BCE01CDD9BE346E1B52ED2761AF1F53B8B60597CB5F4487FF1CBB499D8E86564028FE199C42B9D4392930EC3119C7079E3E34AA93D5EDB95CD00F72363
                                Malicious:true
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp

                                Download File
                                Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):3366912
                                Entropy (8bit):6.530561171048803
                                Encrypted:false
                                SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                                MD5:6B62BAE0EB64E164C7CA6E4C80727D80
                                SHA1:B3FBB520FBC7CDBD2C9DD29F9258313837E41769
                                SHA-256:F7FEE346DE7B3D16964FBB512853CE8719CA6A9DB6017947578F1B983267C257
                                SHA-512:2A7404BCE01CDD9BE346E1B52ED2761AF1F53B8B60597CB5F4487FF1CBB499D8E86564028FE199C42B9D4392930EC3119C7079E3E34AA93D5EDB95CD00F72363
                                Malicious:true
                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                                \Device\ConDrv

                                Download File
                                Process:C:\Program Files (x86)\Windows NT\7zr.exe
                                File Type:ASCII text, with CRLF, CR line terminators
                                Category:dropped
                                Size (bytes):406
                                Entropy (8bit):5.117520345541057
                                Encrypted:false
                                SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                                MD5:9200058492BCA8F9D88B4877F842C148
                                SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                                SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                                SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                                Malicious:false
                                Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.933674304629618
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 98.04%
                                • Inno Setup installer (109748/4) 1.08%
                                • InstallShield setup (43055/19) 0.42%
                                • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                                File size:6'351'526 bytes
                                MD5:cc4c53c634a350d8040888ff38df9e20
                                SHA1:1f3af1bab4b2e172c59fe165169976c20028a4fa
                                SHA256:13ded7ac74245dd01f80304bb56bb9f9480e20bf4a5166ed1287f5cd22f53f6a
                                SHA512:92a8e69c9ac1063732155aebabffbafd3dac887c3b6185aea564fdd43674ae7e9b1cf1d647a797e0adac56e2992e9c99e5ba124c5abfabe0491637123d4b0e42
                                SSDEEP:98304:XwRE8jCK5SKCngYyGgsKF6qoxVYva44P9H/gxcxRzkSzXdMwZga:l8jr5h8QGg7tGSa90ckO7
                                TLSH:58561223F2CBD43EF0590B3B15B2A25494FB6A616526BD1696ECB4ECCF311601E3E247
                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                File Icon

                                Icon Hash:0c0c2d33ceec80aa

                                Static PE Info

                                General

                                Entrypoint:0x4a83bc
                                Entrypoint Section:.itext
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:1
                                File Version Major:6
                                File Version Minor:1
                                Subsystem Version Major:6
                                Subsystem Version Minor:1
                                Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                Entrypoint Preview

                                Instruction
                                push ebp
                                mov ebp, esp
                                add esp, FFFFFFA4h
                                push ebx
                                push esi
                                push edi
                                xor eax, eax
                                mov dword ptr [ebp-3Ch], eax
                                mov dword ptr [ebp-40h], eax
                                mov dword ptr [ebp-5Ch], eax
                                mov dword ptr [ebp-30h], eax
                                mov dword ptr [ebp-38h], eax
                                mov dword ptr [ebp-34h], eax
                                mov dword ptr [ebp-2Ch], eax
                                mov dword ptr [ebp-28h], eax
                                mov dword ptr [ebp-14h], eax
                                mov eax, 004A2EBCh
                                call 00007F579145C835h
                                xor eax, eax
                                push ebp
                                push 004A8AC1h
                                push dword ptr fs:[eax]
                                mov dword ptr fs:[eax], esp
                                xor edx, edx
                                push ebp
                                push 004A8A7Bh
                                push dword ptr fs:[edx]
                                mov dword ptr fs:[edx], esp
                                mov eax, dword ptr [004B0634h]
                                call 00007F57914EE1BBh
                                call 00007F57914EDD0Eh
                                lea edx, dword ptr [ebp-14h]
                                xor eax, eax
                                call 00007F57914E89E8h
                                mov edx, dword ptr [ebp-14h]
                                mov eax, 004B41F4h
                                call 00007F57914568E3h
                                push 00000002h
                                push 00000000h
                                push 00000001h
                                mov ecx, dword ptr [004B41F4h]
                                mov dl, 01h
                                mov eax, dword ptr [0049CD14h]
                                call 00007F57914E9D13h
                                mov dword ptr [004B41F8h], eax
                                xor edx, edx
                                push ebp
                                push 004A8A27h
                                push dword ptr fs:[edx]
                                mov dword ptr fs:[edx], esp
                                call 00007F57914EE243h
                                mov dword ptr [004B4200h], eax
                                mov eax, dword ptr [004B4200h]
                                cmp dword ptr [eax+0Ch], 01h
                                jne 00007F57914F4F2Ah
                                mov eax, dword ptr [004B4200h]
                                mov edx, 00000028h
                                call 00007F57914EA608h
                                mov edx, dword ptr [004B4200h]

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .rsrc0xcb0000x110000x1100070036f9ecd5fc4a9149d4c203f06bf3aFalse0.1877728630514706data3.722956795486655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                                RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                                RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                                RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                                RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                                RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                                RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                                RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                                RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                                RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                                RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                                RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                                RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                                RT_STRING0xd8e000x3f8data0.3198818897637795
                                RT_STRING0xd91f80x2dcdata0.36475409836065575
                                RT_STRING0xd94d40x430data0.40578358208955223
                                RT_STRING0xd99040x44cdata0.38636363636363635
                                RT_STRING0xd9d500x2d4data0.39226519337016574
                                RT_STRING0xda0240xb8data0.6467391304347826
                                RT_STRING0xda0dc0x9cdata0.6410256410256411
                                RT_STRING0xda1780x374data0.4230769230769231
                                RT_STRING0xda4ec0x398data0.3358695652173913
                                RT_STRING0xda8840x368data0.3795871559633027
                                RT_STRING0xdabec0x2a4data0.4275147928994083
                                RT_RCDATA0xdae900x10data1.5
                                RT_RCDATA0xdaea00x310data0.6173469387755102
                                RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                                RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                                RT_VERSION0xdb2980x584dataEnglishUnited States0.278328611898017
                                RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                Imports

                                DLLImport
                                kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                comctl32.dllInitCommonControls
                                user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                Exports

                                NameOrdinalAddress
                                __dbk_fcall_wrapper20x40fc10
                                dbkFCallWrapperAddr10x4b063c

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                No network behavior found

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:22:28:56
                                Start date:24/12/2024
                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
                                Imagebase:0x6e0000
                                File size:6'351'526 bytes
                                MD5 hash:CC4C53C634A350D8040888FF38DF9E20
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:22:28:57
                                Start date:24/12/2024
                                Path:C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\is-O0S0K.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$10444,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
                                Imagebase:0x9f0000
                                File size:3'366'912 bytes
                                MD5 hash:6B62BAE0EB64E164C7CA6E4C80727D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:22:28:57
                                Start date:24/12/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                Imagebase:0x7ff788560000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:22:28:57
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:22:28:57
                                Start date:24/12/2024
                                Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
                                Imagebase:0x6e0000
                                File size:6'351'526 bytes
                                MD5 hash:CC4C53C634A350D8040888FF38DF9E20
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:5
                                Start time:22:28:58
                                Start date:24/12/2024
                                Path:C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\Temp\is-OBUJP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$20448,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
                                Imagebase:0x3d0000
                                File size:3'366'912 bytes
                                MD5 hash:6B62BAE0EB64E164C7CA6E4C80727D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:Borland Delphi
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:6
                                Start time:22:29:00
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:22:29:00
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:22:29:00
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:22:29:00
                                Start date:24/12/2024
                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                Wow64 process (32bit):true
                                Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                                Imagebase:0x40000
                                File size:831'200 bytes
                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                • Detection: 0%, Virustotal, Browse
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:10
                                Start time:22:29:01
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:22:29:01
                                Start date:24/12/2024
                                Path:C:\Program Files (x86)\Windows NT\7zr.exe
                                Wow64 process (32bit):true
                                Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                                Imagebase:0x40000
                                File size:831'200 bytes
                                MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:12
                                Start time:22:29:01
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:22:29:01
                                Start date:24/12/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff693ab0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Has exited:false

                                General

                                Target ID:14
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:15
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:16
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:17
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:18
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:19
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:21
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:23
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:24
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:25
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:26
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:27
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:28
                                Start time:22:29:02
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:29
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:30
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:31
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:32
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:33
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:34
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:35
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:36
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:37
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:38
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:39
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:40
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:41
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:42
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:43
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:44
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:45
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:46
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:47
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:48
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:49
                                Start time:22:29:03
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:50
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:51
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:52
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:53
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:54
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:55
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:56
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:57
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:58
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:59
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:60
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:61
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:62
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:63
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:64
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:65
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:66
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:67
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:68
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:69
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:70
                                Start time:22:29:04
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:71
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:72
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:73
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:74
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:75
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:76
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:77
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:78
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:79
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:80
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:81
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:82
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:83
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:84
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:85
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:86
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:87
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:88
                                Start time:22:29:05
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:89
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:90
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:91
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:92
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:93
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:94
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:95
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:96
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:97
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:98
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:99
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:100
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:101
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:102
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:103
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:104
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:105
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:106
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:107
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:108
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\sc.exe
                                Wow64 process (32bit):false
                                Commandline:sc start CleverSoar
                                Imagebase:0x7ff71f0d0000
                                File size:72'192 bytes
                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:109
                                Start time:22:29:06
                                Start date:24/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:110
                                Start time:22:29:07
                                Start date:24/12/2024
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd /c start sc start CleverSoar
                                Imagebase:0x7ff61dc90000
                                File size:289'792 bytes
                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:265
                                Start time:22:29:13
                                Start date:24/12/2024
                                Path:C:\Windows\System32\Conhost.exe
                                Wow64 process (32bit):
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:
                                Has administrator privileges:
                                Programmed in:C, C++ or other language
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:1.9%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:4.9%
                                  Total number of Nodes:728
                                  Total number of Limit Nodes:9
                                  execution_graph 63448 6c90f150 63450 6c90efbe 63448->63450 63449 6c90f243 CreateFileA 63452 6c90f2a7 63449->63452 63450->63449 63451 6c9102ca 63452->63451 63453 6c9102ac GetCurrentProcess TerminateProcess 63452->63453 63453->63451 63454 6c90f8a3 63456 6c90f887 63454->63456 63455 6c9102ac GetCurrentProcess TerminateProcess 63457 6c9102ca 63455->63457 63456->63455 63458 6ca8262f 63459 6ca8263b __wsopen_s 63458->63459 63460 6ca8264f 63459->63460 63461 6ca82642 GetLastError ExitThread 63459->63461 63470 6ca880a2 GetLastError 63460->63470 63466 6ca8266b 63503 6ca8259a 16 API calls 2 library calls 63466->63503 63469 6ca8268d 63471 6ca880b9 63470->63471 63476 6ca880bf 63470->63476 63504 6ca8a213 6 API calls std::_Lockit::_Lockit 63471->63504 63474 6ca880dd 63475 6ca880e1 63474->63475 63477 6ca880c5 SetLastError 63474->63477 63506 6ca8a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63475->63506 63476->63477 63505 6ca8a252 6 API calls std::_Lockit::_Lockit 63476->63505 63483 6ca88159 63477->63483 63484 6ca82654 63477->63484 63480 6ca880ed 63481 6ca8810c 63480->63481 63482 6ca880f5 63480->63482 63509 6ca8a252 6 API calls std::_Lockit::_Lockit 63481->63509 63507 6ca8a252 6 API calls std::_Lockit::_Lockit 63482->63507 63512 6ca841b9 37 API calls std::locale::_Setgloballocale 63483->63512 63497 6ca8d456 63484->63497 63488 6ca88103 63508 6ca87eab HeapFree GetLastError _free 63488->63508 63490 6ca88118 63491 6ca8811c 63490->63491 63492 6ca8812d 63490->63492 63510 6ca8a252 6 API calls std::_Lockit::_Lockit 63491->63510 63511 6ca87eab HeapFree GetLastError _free 63492->63511 63495 6ca88109 63495->63477 63498 6ca8d468 GetPEB 63497->63498 63499 6ca8265f 63497->63499 63498->63499 63500 6ca8d47b 63498->63500 63499->63466 63502 6ca8a45f 5 API calls std::_Lockit::_Lockit 63499->63502 63513 6ca8a508 5 API calls std::_Lockit::_Lockit 63500->63513 63502->63466 63503->63469 63504->63476 63505->63474 63506->63480 63507->63488 63508->63495 63509->63490 63510->63488 63511->63495 63513->63499 63514 6ca901c3 63515 6ca901ed 63514->63515 63516 6ca901d5 __dosmaperr 63514->63516 63515->63516 63517 6ca90267 63515->63517 63519 6ca90238 __dosmaperr 63515->63519 63520 6ca90280 63517->63520 63522 6ca902d7 __wsopen_s 63517->63522 63523 6ca9029b __dosmaperr 63517->63523 63561 6ca83810 18 API calls __cftoe 63519->63561 63521 6ca90285 63520->63521 63520->63523 63549 6ca950d5 63521->63549 63555 6ca87eab HeapFree GetLastError _free 63522->63555 63554 6ca83810 18 API calls __cftoe 63523->63554 63526 6ca9042e 63529 6ca904a4 63526->63529 63532 6ca90447 GetConsoleMode 63526->63532 63527 6ca902f7 63556 6ca87eab HeapFree GetLastError _free 63527->63556 63531 6ca904a8 ReadFile 63529->63531 63535 6ca9051c GetLastError 63531->63535 63536 6ca904c2 63531->63536 63532->63529 63533 6ca90458 63532->63533 63533->63531 63537 6ca9045e ReadConsoleW 63533->63537 63534 6ca902fe 63538 6ca902b2 __dosmaperr __wsopen_s 63534->63538 63557 6ca8e359 20 API calls __wsopen_s 63534->63557 63535->63538 63536->63535 63539 6ca90499 63536->63539 63537->63539 63540 6ca9047a GetLastError 63537->63540 63558 6ca87eab HeapFree GetLastError _free 63538->63558 63539->63538 63543 6ca904fe 63539->63543 63544 6ca904e7 63539->63544 63540->63538 63543->63538 63546 6ca90515 63543->63546 63559 6ca905ee 23 API calls 3 library calls 63544->63559 63560 6ca908a6 21 API calls __wsopen_s 63546->63560 63548 6ca9051a 63548->63538 63550 6ca950ef 63549->63550 63551 6ca950e2 63549->63551 63552 6ca950fb 63550->63552 63562 6ca83810 18 API calls __cftoe 63550->63562 63551->63526 63552->63526 63554->63538 63555->63527 63556->63534 63557->63521 63558->63516 63559->63538 63560->63548 63561->63516 63562->63551 63563 6c8f4b53 63721 6ca7a133 63563->63721 63565 6c8f4b5c _Yarn 63735 6ca6e090 63565->63735 63567 6c91639e 63826 6ca83820 18 API calls 2 library calls 63567->63826 63569 6c8f5164 CreateFileA CloseHandle 63575 6c8f51ec 63569->63575 63570 6c8f4cff 63571 6c8f4bae std::ios_base::_Ios_base_dtor 63571->63567 63571->63569 63571->63570 63572 6c90245a _Yarn _strlen 63571->63572 63572->63567 63573 6ca6e090 FindFirstFileA 63572->63573 63589 6c902a83 std::ios_base::_Ios_base_dtor 63573->63589 63739 6ca78810 OpenSCManagerA 63575->63739 63577 6c8ffc00 63818 6ca78930 CreateToolhelp32Snapshot 63577->63818 63580 6ca7a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63616 6c8f5478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63580->63616 63582 6c9037d0 Sleep 63627 6c9037e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63582->63627 63583 6ca6e090 FindFirstFileA 63583->63616 63584 6c9163b2 63827 6c8f15e0 18 API calls std::ios_base::_Ios_base_dtor 63584->63827 63585 6ca78930 4 API calls 63604 6c90053a 63585->63604 63587 6ca78930 4 API calls 63612 6c9012e2 63587->63612 63588 6c9164f8 63589->63567 63743 6ca60880 63589->63743 63590 6c8fffe3 63590->63585 63595 6c900abc 63590->63595 63591 6c916ba0 104 API calls 63591->63616 63592 6c916e60 32 API calls 63592->63616 63594 6ca78930 4 API calls 63594->63595 63595->63572 63595->63587 63597 6c8f6722 63794 6ca74860 25 API calls 4 library calls 63597->63794 63598 6ca78930 4 API calls 63618 6c901dd9 63598->63618 63599 6c90211c 63599->63572 63601 6c90241a 63599->63601 63603 6ca60880 10 API calls 63601->63603 63602 6ca6e090 FindFirstFileA 63602->63627 63605 6c90244d 63603->63605 63604->63594 63604->63595 63824 6ca79450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63605->63824 63607 6c902452 Sleep 63607->63572 63608 6c9016ac 63609 6c8f6162 63610 6c8f740b 63795 6ca786e0 CreateProcessA 63610->63795 63612->63598 63612->63599 63612->63608 63613 6ca78930 4 API calls 63613->63599 63616->63567 63616->63577 63616->63580 63616->63583 63616->63591 63616->63592 63616->63597 63616->63609 63780 6c917090 63616->63780 63793 6c93e010 67 API calls 63616->63793 63617 6c917090 77 API calls 63617->63627 63618->63599 63618->63613 63620 6c8f775a _strlen 63620->63567 63621 6c8f7ba9 63620->63621 63622 6c8f7b92 63620->63622 63625 6c8f7b43 _Yarn 63620->63625 63624 6ca7a133 std::_Facet_Register 4 API calls 63621->63624 63623 6ca7a133 std::_Facet_Register 4 API calls 63622->63623 63623->63625 63624->63625 63626 6ca6e090 FindFirstFileA 63625->63626 63636 6c8f7be7 std::ios_base::_Ios_base_dtor 63626->63636 63627->63567 63627->63602 63627->63617 63751 6c916ba0 63627->63751 63770 6c916e60 63627->63770 63825 6c93e010 67 API calls 63627->63825 63628 6ca786e0 4 API calls 63639 6c8f8a07 63628->63639 63629 6c8f9d7f 63632 6ca7a133 std::_Facet_Register 4 API calls 63629->63632 63630 6c8f9d68 63631 6ca7a133 std::_Facet_Register 4 API calls 63630->63631 63634 6c8f9d18 _Yarn 63631->63634 63632->63634 63633 6c8f962c _strlen 63633->63567 63633->63629 63633->63630 63633->63634 63635 6ca6e090 FindFirstFileA 63634->63635 63645 6c8f9dbd std::ios_base::_Ios_base_dtor 63635->63645 63636->63567 63636->63628 63636->63633 63637 6c8f8387 63636->63637 63638 6ca786e0 4 API calls 63640 6c8f9120 63638->63640 63639->63638 63643 6ca786e0 4 API calls 63640->63643 63641 6ca786e0 4 API calls 63642 6c8fa215 _strlen 63641->63642 63642->63567 63654 6c8fa9bb 63642->63654 63655 6c8fa9a4 63642->63655 63664 6c8fa953 _Yarn _strlen 63642->63664 63644 6c8f9624 63643->63644 63799 6ca79450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63644->63799 63645->63567 63645->63641 63652 6c8fe8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63645->63652 63646 6ca7a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63646->63652 63648 6ca6e090 FindFirstFileA 63648->63652 63649 6c8fed02 Sleep 63669 6c8fe8c1 63649->63669 63650 6c8ff7b1 63817 6ca79450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63650->63817 63652->63567 63652->63646 63652->63648 63652->63649 63652->63650 63653 6c8fe8dd GetCurrentProcess TerminateProcess 63653->63652 63657 6ca7a133 std::_Facet_Register 4 API calls 63654->63657 63656 6ca7a133 std::_Facet_Register 4 API calls 63655->63656 63656->63664 63657->63664 63658 6ca786e0 4 API calls 63658->63669 63659 6c8ffbb8 63660 6c8ffbe8 ExitWindowsEx Sleep 63659->63660 63660->63577 63661 6c8ff7c0 63661->63659 63662 6c8fb009 63666 6ca7a133 std::_Facet_Register 4 API calls 63662->63666 63663 6c8faff0 63665 6ca7a133 std::_Facet_Register 4 API calls 63663->63665 63664->63584 63664->63662 63664->63663 63667 6c8fafa0 _Yarn 63664->63667 63665->63667 63666->63667 63800 6ca79050 63667->63800 63669->63652 63669->63653 63669->63658 63670 6c8fb059 std::ios_base::_Ios_base_dtor _strlen 63670->63567 63671 6c8fb42c 63670->63671 63672 6c8fb443 63670->63672 63675 6c8fb3da _Yarn _strlen 63670->63675 63673 6ca7a133 std::_Facet_Register 4 API calls 63671->63673 63674 6ca7a133 std::_Facet_Register 4 API calls 63672->63674 63673->63675 63674->63675 63675->63584 63676 6c8fb79e 63675->63676 63677 6c8fb7b7 63675->63677 63680 6c8fb751 _Yarn 63675->63680 63678 6ca7a133 std::_Facet_Register 4 API calls 63676->63678 63679 6ca7a133 std::_Facet_Register 4 API calls 63677->63679 63678->63680 63679->63680 63681 6ca79050 104 API calls 63680->63681 63682 6c8fb804 std::ios_base::_Ios_base_dtor _strlen 63681->63682 63682->63567 63683 6c8fbc0f 63682->63683 63684 6c8fbc26 63682->63684 63687 6c8fbbbd _Yarn _strlen 63682->63687 63685 6ca7a133 std::_Facet_Register 4 API calls 63683->63685 63686 6ca7a133 std::_Facet_Register 4 API calls 63684->63686 63685->63687 63686->63687 63687->63584 63688 6c8fc08e 63687->63688 63689 6c8fc075 63687->63689 63692 6c8fc028 _Yarn 63687->63692 63691 6ca7a133 std::_Facet_Register 4 API calls 63688->63691 63690 6ca7a133 std::_Facet_Register 4 API calls 63689->63690 63690->63692 63691->63692 63693 6ca79050 104 API calls 63692->63693 63698 6c8fc0db std::ios_base::_Ios_base_dtor _strlen 63693->63698 63694 6c8fc7bc 63697 6ca7a133 std::_Facet_Register 4 API calls 63694->63697 63695 6c8fc7a5 63696 6ca7a133 std::_Facet_Register 4 API calls 63695->63696 63705 6c8fc753 _Yarn _strlen 63696->63705 63697->63705 63698->63567 63698->63694 63698->63695 63698->63705 63699 6c8fd3ed 63701 6ca7a133 std::_Facet_Register 4 API calls 63699->63701 63700 6c8fd406 63702 6ca7a133 std::_Facet_Register 4 API calls 63700->63702 63703 6c8fd39a _Yarn 63701->63703 63702->63703 63704 6ca79050 104 API calls 63703->63704 63706 6c8fd458 std::ios_base::_Ios_base_dtor _strlen 63704->63706 63705->63584 63705->63699 63705->63700 63705->63703 63711 6c8fcb2f 63705->63711 63706->63567 63707 6c8fd8bb 63706->63707 63708 6c8fd8a4 63706->63708 63712 6c8fd852 _Yarn _strlen 63706->63712 63710 6ca7a133 std::_Facet_Register 4 API calls 63707->63710 63709 6ca7a133 std::_Facet_Register 4 API calls 63708->63709 63709->63712 63710->63712 63712->63584 63713 6c8fdccf 63712->63713 63714 6c8fdcb6 63712->63714 63717 6c8fdc69 _Yarn 63712->63717 63716 6ca7a133 std::_Facet_Register 4 API calls 63713->63716 63715 6ca7a133 std::_Facet_Register 4 API calls 63714->63715 63715->63717 63716->63717 63718 6ca79050 104 API calls 63717->63718 63720 6c8fdd1c std::ios_base::_Ios_base_dtor 63718->63720 63719 6ca786e0 4 API calls 63719->63652 63720->63567 63720->63719 63723 6ca7a138 63721->63723 63722 6ca7a152 63722->63565 63723->63722 63726 6ca7a154 std::_Facet_Register 63723->63726 63828 6ca82704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63723->63828 63725 6ca7afb3 std::_Facet_Register 63832 6ca7ca69 RaiseException 63725->63832 63726->63725 63829 6ca7ca69 RaiseException 63726->63829 63728 6ca7b7ac IsProcessorFeaturePresent 63734 6ca7b7d1 63728->63734 63730 6ca7af73 63830 6ca7ca69 RaiseException 63730->63830 63732 6ca7af93 std::invalid_argument::invalid_argument 63831 6ca7ca69 RaiseException 63732->63831 63734->63565 63736 6ca6e0a6 FindFirstFileA 63735->63736 63737 6ca6e0a4 63735->63737 63738 6ca6e0e0 63736->63738 63737->63736 63738->63571 63740 6ca78846 63739->63740 63741 6ca788be OpenServiceA 63740->63741 63742 6ca78922 63740->63742 63741->63740 63742->63616 63748 6ca60893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63743->63748 63744 6ca64e71 CloseHandle 63744->63748 63745 6ca63bd1 CloseHandle 63745->63748 63746 6c9037cb 63750 6ca79450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63746->63750 63747 6ca4cea0 WriteFile ReadFile WriteFile WriteFile 63747->63748 63748->63744 63748->63745 63748->63746 63748->63747 63833 6ca4c390 63748->63833 63750->63582 63752 6c916bd5 63751->63752 63844 6c942020 63752->63844 63754 6c916c68 63755 6ca7a133 std::_Facet_Register 4 API calls 63754->63755 63756 6c916ca0 63755->63756 63861 6ca7aa17 63756->63861 63758 6c916cb4 63873 6c941d90 63758->63873 63761 6c916d8e 63761->63627 63763 6c916dc8 63881 6c9426e0 24 API calls 4 library calls 63763->63881 63765 6c916dda 63882 6ca7ca69 RaiseException 63765->63882 63767 6c916def 63883 6c93e010 67 API calls 63767->63883 63769 6c916e0f 63769->63627 63771 6c916e9f 63770->63771 63774 6c916eb3 63771->63774 64246 6c943560 32 API calls std::_Xinvalid_argument 63771->64246 63775 6c916f5b 63774->63775 64248 6c942250 30 API calls 63774->64248 64249 6c9426e0 24 API calls 4 library calls 63774->64249 64250 6ca7ca69 RaiseException 63774->64250 63776 6c916f6e 63775->63776 64247 6c9437e0 32 API calls std::_Xinvalid_argument 63775->64247 63776->63627 63781 6c91709e 63780->63781 63785 6c9170d1 63780->63785 64251 6c9401f0 63781->64251 63783 6c917183 63783->63616 63785->63783 64255 6c942250 30 API calls 63785->64255 63786 6ca84208 67 API calls 63786->63785 63788 6c9171ae 64256 6c942340 24 API calls 63788->64256 63790 6c9171be 64257 6ca7ca69 RaiseException 63790->64257 63792 6c9171c9 63793->63616 63794->63610 63797 6ca78770 63795->63797 63796 6ca787b0 WaitForSingleObject CloseHandle CloseHandle 63796->63797 63797->63796 63798 6ca787a4 63797->63798 63798->63620 63799->63633 63801 6ca790a7 63800->63801 64303 6ca796e0 63801->64303 63803 6ca790b8 63804 6c916ba0 104 API calls 63803->63804 63811 6ca790dc 63804->63811 63805 6ca79157 64355 6c93e010 67 API calls 63805->64355 63807 6ca7918f std::ios_base::_Ios_base_dtor 64356 6c93e010 67 API calls 63807->64356 63810 6ca79144 64340 6ca79280 63810->64340 63811->63805 63811->63810 64322 6ca79a30 63811->64322 64330 6c953010 63811->64330 63812 6ca791d2 std::ios_base::_Ios_base_dtor 63812->63670 63815 6ca7914c 63816 6c917090 77 API calls 63815->63816 63816->63805 63817->63661 63821 6ca78966 std::locale::_Setgloballocale 63818->63821 63819 6ca78a64 Process32NextW 63819->63821 63820 6ca78a14 CloseHandle 63820->63821 63821->63819 63821->63820 63822 6ca78a96 63821->63822 63823 6ca78a45 Process32FirstW 63821->63823 63822->63590 63823->63821 63824->63607 63825->63627 63827->63588 63828->63723 63829->63730 63830->63732 63831->63725 63832->63728 63834 6ca4c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63833->63834 63835 6ca4ce3c 63834->63835 63836 6ca4cab9 CreateFileA 63834->63836 63838 6ca4b4d0 63834->63838 63835->63748 63836->63834 63839 6ca4b4e3 __wsopen_s std::locale::_Setgloballocale 63838->63839 63840 6ca4c206 WriteFile 63839->63840 63841 6ca4b619 WriteFile 63839->63841 63842 6ca4c377 63839->63842 63843 6ca4bc23 ReadFile 63839->63843 63840->63839 63841->63839 63842->63834 63843->63839 63845 6ca7a133 std::_Facet_Register 4 API calls 63844->63845 63846 6c94207e 63845->63846 63847 6ca7aa17 43 API calls 63846->63847 63848 6c942092 63847->63848 63884 6c942f60 42 API calls 4 library calls 63848->63884 63850 6c94210d 63853 6c942120 63850->63853 63885 6ca7a67e 9 API calls 2 library calls 63850->63885 63851 6c9420c8 63851->63850 63852 6c942136 63851->63852 63886 6c942250 30 API calls 63852->63886 63853->63754 63856 6c94215b 63887 6c942340 24 API calls 63856->63887 63858 6c942171 63888 6ca7ca69 RaiseException 63858->63888 63860 6c94217c 63860->63754 63862 6ca7aa23 __EH_prolog3 63861->63862 63889 6ca7a5a5 63862->63889 63867 6ca7aa41 63903 6ca7aaaa 39 API calls std::locale::_Setgloballocale 63867->63903 63868 6ca7aa9c 63868->63758 63870 6ca7aa49 63904 6ca7a8a1 HeapFree GetLastError _Yarn 63870->63904 63872 6ca7aa5f 63895 6ca7a5d6 63872->63895 63874 6c916d5d 63873->63874 63875 6c941ddc 63873->63875 63874->63761 63880 6c942250 30 API calls 63874->63880 63909 6ca7ab37 63875->63909 63879 6c941e82 63880->63763 63881->63765 63882->63767 63883->63769 63884->63851 63885->63853 63886->63856 63887->63858 63888->63860 63890 6ca7a5b4 63889->63890 63891 6ca7a5bb 63889->63891 63905 6ca83abd 6 API calls std::_Lockit::_Lockit 63890->63905 63893 6ca7a5b9 63891->63893 63906 6ca7bc7b EnterCriticalSection 63891->63906 63893->63872 63902 6ca7a920 6 API calls 2 library calls 63893->63902 63896 6ca83acb 63895->63896 63897 6ca7a5e0 63895->63897 63908 6ca83aa6 LeaveCriticalSection 63896->63908 63898 6ca7a5f3 63897->63898 63907 6ca7bc89 LeaveCriticalSection 63897->63907 63898->63868 63901 6ca83ad2 63901->63868 63902->63867 63903->63870 63904->63872 63905->63893 63906->63893 63907->63898 63908->63901 63910 6ca7ab40 63909->63910 63913 6c941dea 63910->63913 63918 6ca8343a 63910->63918 63912 6ca7ab8c 63912->63913 63929 6ca83148 65 API calls 63912->63929 63913->63874 63917 6ca7fc53 18 API calls __cftoe 63913->63917 63915 6ca7aba7 63915->63913 63930 6ca84208 63915->63930 63917->63879 63920 6ca83445 __wsopen_s 63918->63920 63919 6ca83458 63955 6ca83810 18 API calls __cftoe 63919->63955 63920->63919 63921 6ca83478 63920->63921 63925 6ca83468 63921->63925 63941 6ca8e4fc 63921->63941 63925->63912 63929->63915 63931 6ca84214 __wsopen_s 63930->63931 63932 6ca8421e 63931->63932 63933 6ca84233 63931->63933 64151 6ca83810 18 API calls __cftoe 63932->64151 63937 6ca8422e 63933->63937 64136 6ca7fc99 EnterCriticalSection 63933->64136 63936 6ca84250 64137 6ca8428c 63936->64137 63937->63913 63939 6ca8425b 64152 6ca84282 LeaveCriticalSection 63939->64152 63942 6ca8e508 __wsopen_s 63941->63942 63957 6ca83a8f EnterCriticalSection 63942->63957 63944 6ca8e516 63958 6ca8e5a0 63944->63958 63949 6ca8e662 63950 6ca8e781 63949->63950 63982 6ca8e804 63950->63982 63953 6ca834bc 63956 6ca834e5 LeaveCriticalSection 63953->63956 63955->63925 63956->63925 63957->63944 63966 6ca8e5c3 63958->63966 63959 6ca8e523 63972 6ca8e55c 63959->63972 63960 6ca8e61b 63977 6ca8a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63960->63977 63962 6ca8e624 63978 6ca87eab HeapFree GetLastError _free 63962->63978 63965 6ca8e62d 63965->63959 63979 6ca8a30f 6 API calls std::_Lockit::_Lockit 63965->63979 63966->63959 63966->63960 63966->63966 63975 6ca7fc99 EnterCriticalSection 63966->63975 63976 6ca7fcad LeaveCriticalSection 63966->63976 63968 6ca8e64c 63980 6ca7fc99 EnterCriticalSection 63968->63980 63971 6ca8e65f 63971->63959 63981 6ca83aa6 LeaveCriticalSection 63972->63981 63974 6ca83493 63974->63925 63974->63949 63975->63966 63976->63966 63977->63962 63978->63965 63979->63968 63980->63971 63981->63974 63983 6ca8e823 63982->63983 63984 6ca8e836 63983->63984 63988 6ca8e84b 63983->63988 63998 6ca83810 18 API calls __cftoe 63984->63998 63986 6ca8e797 63986->63953 63995 6ca976ce 63986->63995 63988->63988 63993 6ca8e96b 63988->63993 63999 6ca97598 37 API calls __cftoe 63988->63999 63990 6ca8e9bb 63990->63993 64000 6ca97598 37 API calls __cftoe 63990->64000 63992 6ca8e9d9 63992->63993 64001 6ca97598 37 API calls __cftoe 63992->64001 63993->63986 64002 6ca83810 18 API calls __cftoe 63993->64002 64003 6ca97a86 63995->64003 63998->63986 63999->63990 64000->63992 64001->63993 64002->63986 64005 6ca97a92 __wsopen_s 64003->64005 64004 6ca97a99 64021 6ca83810 18 API calls __cftoe 64004->64021 64005->64004 64006 6ca97ac4 64005->64006 64012 6ca976ee 64006->64012 64011 6ca976e9 64011->63953 64023 6ca83dbb 64012->64023 64017 6ca97724 64019 6ca97756 64017->64019 64063 6ca87eab HeapFree GetLastError _free 64017->64063 64022 6ca97b1b LeaveCriticalSection __wsopen_s 64019->64022 64021->64011 64022->64011 64064 6ca7f3db 64023->64064 64026 6ca83ddf 64028 6ca7f4e6 64026->64028 64073 6ca7f53e 64028->64073 64030 6ca7f4fe 64030->64017 64031 6ca9775c 64030->64031 64088 6ca97bdc 64031->64088 64037 6ca97882 GetFileType 64040 6ca9788d GetLastError 64037->64040 64041 6ca978d4 64037->64041 64038 6ca9778e __dosmaperr 64038->64017 64039 6ca97857 GetLastError 64039->64038 64117 6ca830e2 __dosmaperr _free 64040->64117 64118 6ca94ea0 SetStdHandle __dosmaperr __wsopen_s 64041->64118 64043 6ca97805 64043->64037 64043->64039 64116 6ca97b47 CreateFileW 64043->64116 64044 6ca9789b CloseHandle 64044->64038 64060 6ca978c4 64044->64060 64047 6ca9784a 64047->64037 64047->64039 64048 6ca978f5 64049 6ca97941 64048->64049 64119 6ca97d56 70 API calls 2 library calls 64048->64119 64053 6ca97948 64049->64053 64133 6ca97e00 70 API calls 2 library calls 64049->64133 64052 6ca97976 64052->64053 64054 6ca97984 64052->64054 64120 6ca8f015 64053->64120 64054->64038 64056 6ca97a00 CloseHandle 64054->64056 64134 6ca97b47 CreateFileW 64056->64134 64058 6ca97a2b 64059 6ca97a35 GetLastError 64058->64059 64058->64060 64061 6ca97a41 __dosmaperr 64059->64061 64060->64038 64135 6ca94e0f SetStdHandle __dosmaperr __wsopen_s 64061->64135 64063->64019 64065 6ca7f3f2 64064->64065 64066 6ca7f3fb 64064->64066 64065->64026 64072 6ca8a0c5 5 API calls std::_Lockit::_Lockit 64065->64072 64066->64065 64067 6ca880a2 __Getctype 37 API calls 64066->64067 64068 6ca7f41b 64067->64068 64069 6ca88618 __Getctype 37 API calls 64068->64069 64070 6ca7f431 64069->64070 64071 6ca88645 __cftoe 37 API calls 64070->64071 64071->64065 64072->64026 64074 6ca7f566 64073->64074 64075 6ca7f54c 64073->64075 64077 6ca7f58c 64074->64077 64078 6ca7f56d 64074->64078 64076 6ca7f4cc __wsopen_s HeapFree GetLastError 64075->64076 64083 6ca7f556 __dosmaperr 64076->64083 64079 6ca87f33 __fassign MultiByteToWideChar 64077->64079 64081 6ca7f48d __wsopen_s HeapFree GetLastError 64078->64081 64078->64083 64080 6ca7f59b 64079->64080 64082 6ca7f5a2 GetLastError 64080->64082 64084 6ca7f5c8 64080->64084 64085 6ca7f48d __wsopen_s HeapFree GetLastError 64080->64085 64081->64083 64082->64083 64083->64030 64084->64083 64086 6ca87f33 __fassign MultiByteToWideChar 64084->64086 64085->64084 64087 6ca7f5df 64086->64087 64087->64082 64087->64083 64090 6ca97bfd 64088->64090 64092 6ca97c17 64088->64092 64089 6ca97b6c __wsopen_s 18 API calls 64095 6ca97c4f 64089->64095 64091 6ca83810 __cftoe 18 API calls 64090->64091 64090->64092 64091->64092 64092->64089 64093 6ca97c7e 64094 6ca99001 __wsopen_s 18 API calls 64093->64094 64100 6ca97779 64093->64100 64096 6ca97ccc 64094->64096 64095->64093 64098 6ca83810 __cftoe 18 API calls 64095->64098 64097 6ca97d49 64096->64097 64096->64100 64099 6ca8383d __Getctype 11 API calls 64097->64099 64098->64093 64101 6ca97d55 64099->64101 64100->64038 64102 6ca94cfc 64100->64102 64103 6ca94d08 __wsopen_s 64102->64103 64104 6ca83a8f std::_Lockit::_Lockit EnterCriticalSection 64103->64104 64105 6ca94d0f 64104->64105 64107 6ca94d34 64105->64107 64111 6ca94da3 EnterCriticalSection 64105->64111 64113 6ca94d56 64105->64113 64106 6ca94e06 __wsopen_s LeaveCriticalSection 64109 6ca94d76 64106->64109 64108 6ca94f32 __wsopen_s 11 API calls 64107->64108 64110 6ca94d39 64108->64110 64109->64038 64115 6ca97b47 CreateFileW 64109->64115 64112 6ca95080 __wsopen_s EnterCriticalSection 64110->64112 64110->64113 64111->64113 64114 6ca94db0 LeaveCriticalSection 64111->64114 64112->64113 64113->64106 64114->64105 64115->64043 64116->64047 64117->64044 64118->64048 64119->64049 64121 6ca94c92 __wsopen_s 18 API calls 64120->64121 64124 6ca8f025 64121->64124 64122 6ca8f02b 64123 6ca94e0f __wsopen_s SetStdHandle 64122->64123 64127 6ca8f083 __dosmaperr 64123->64127 64124->64122 64125 6ca94c92 __wsopen_s 18 API calls 64124->64125 64132 6ca8f05d 64124->64132 64128 6ca8f054 64125->64128 64126 6ca94c92 __wsopen_s 18 API calls 64129 6ca8f069 CloseHandle 64126->64129 64127->64038 64130 6ca94c92 __wsopen_s 18 API calls 64128->64130 64129->64122 64131 6ca8f075 GetLastError 64129->64131 64130->64132 64131->64122 64132->64122 64132->64126 64133->64052 64134->64058 64135->64060 64136->63936 64138 6ca84299 64137->64138 64139 6ca842ae 64137->64139 64175 6ca83810 18 API calls __cftoe 64138->64175 64143 6ca842a9 64139->64143 64153 6ca843a9 64139->64153 64143->63939 64147 6ca842d1 64168 6ca8ef88 64147->64168 64149 6ca842d7 64149->64143 64176 6ca87eab HeapFree GetLastError _free 64149->64176 64151->63937 64152->63937 64154 6ca843c1 64153->64154 64158 6ca842c3 64153->64158 64155 6ca8d350 18 API calls 64154->64155 64154->64158 64156 6ca843df 64155->64156 64177 6ca8f25c 64156->64177 64159 6ca8be2e 64158->64159 64160 6ca842cb 64159->64160 64161 6ca8be45 64159->64161 64163 6ca8d350 64160->64163 64161->64160 64233 6ca87eab HeapFree GetLastError _free 64161->64233 64164 6ca8d35c 64163->64164 64165 6ca8d371 64163->64165 64234 6ca83810 18 API calls __cftoe 64164->64234 64165->64147 64167 6ca8d36c 64167->64147 64169 6ca8ef99 __dosmaperr 64168->64169 64170 6ca8efae 64168->64170 64169->64149 64171 6ca8eff7 __dosmaperr 64170->64171 64172 6ca8efd5 64170->64172 64243 6ca83810 18 API calls __cftoe 64171->64243 64235 6ca8f0b1 64172->64235 64175->64143 64176->64143 64178 6ca8f268 __wsopen_s 64177->64178 64179 6ca8f2ba 64178->64179 64181 6ca8f323 __dosmaperr 64178->64181 64184 6ca8f270 __dosmaperr 64178->64184 64188 6ca95080 EnterCriticalSection 64179->64188 64218 6ca83810 18 API calls __cftoe 64181->64218 64182 6ca8f2c0 64186 6ca8f2dc __dosmaperr 64182->64186 64189 6ca8f34e 64182->64189 64184->64158 64217 6ca8f31b LeaveCriticalSection __wsopen_s 64186->64217 64188->64182 64190 6ca8f370 64189->64190 64216 6ca8f38c __dosmaperr 64189->64216 64191 6ca8f374 __dosmaperr 64190->64191 64193 6ca8f3c4 64190->64193 64226 6ca83810 18 API calls __cftoe 64191->64226 64192 6ca8f3d7 64219 6ca8f530 64192->64219 64193->64192 64227 6ca8e359 20 API calls __wsopen_s 64193->64227 64198 6ca8f42c 64200 6ca8f440 64198->64200 64201 6ca8f485 WriteFile 64198->64201 64199 6ca8f3ed 64202 6ca8f3f1 64199->64202 64203 6ca8f416 64199->64203 64206 6ca8f44b 64200->64206 64207 6ca8f475 64200->64207 64204 6ca8f4a9 GetLastError 64201->64204 64201->64216 64202->64216 64228 6ca8f94b 6 API calls __wsopen_s 64202->64228 64229 6ca8f5a1 43 API calls 5 library calls 64203->64229 64204->64216 64210 6ca8f450 64206->64210 64211 6ca8f465 64206->64211 64232 6ca8f9b3 7 API calls 2 library calls 64207->64232 64213 6ca8f455 64210->64213 64210->64216 64231 6ca8fb77 8 API calls 3 library calls 64211->64231 64212 6ca8f463 64212->64216 64230 6ca8fa8e 7 API calls 2 library calls 64213->64230 64216->64186 64217->64184 64218->64184 64220 6ca950d5 __wsopen_s 18 API calls 64219->64220 64221 6ca8f541 64220->64221 64222 6ca8f3e8 64221->64222 64223 6ca880a2 __Getctype 37 API calls 64221->64223 64222->64198 64222->64199 64224 6ca8f564 64223->64224 64224->64222 64225 6ca8f57e GetConsoleMode 64224->64225 64225->64222 64226->64216 64227->64192 64228->64216 64229->64216 64230->64212 64231->64212 64232->64212 64233->64160 64234->64167 64236 6ca8f0bd __wsopen_s 64235->64236 64244 6ca95080 EnterCriticalSection 64236->64244 64238 6ca8f0cb 64239 6ca8f015 __wsopen_s 21 API calls 64238->64239 64240 6ca8f0f8 64238->64240 64239->64240 64245 6ca8f131 LeaveCriticalSection __wsopen_s 64240->64245 64242 6ca8f11a 64242->64169 64243->64169 64244->64238 64245->64242 64246->63774 64247->63776 64248->63774 64249->63774 64250->63774 64253 6c94022e 64251->64253 64252 6c9170c4 64252->63786 64253->64252 64258 6ca84ecb 64253->64258 64255->63788 64256->63790 64257->63792 64259 6ca84ed9 64258->64259 64260 6ca84ef6 64258->64260 64259->64260 64261 6ca84efa 64259->64261 64263 6ca84ee6 64259->64263 64260->64253 64266 6ca850f2 64261->64266 64274 6ca83810 18 API calls __cftoe 64263->64274 64267 6ca850fe __wsopen_s 64266->64267 64275 6ca7fc99 EnterCriticalSection 64267->64275 64269 6ca8510c 64276 6ca850af 64269->64276 64273 6ca84f2c 64273->64253 64274->64260 64275->64269 64284 6ca8bc96 64276->64284 64282 6ca850e9 64283 6ca85141 LeaveCriticalSection 64282->64283 64283->64273 64285 6ca8d350 18 API calls 64284->64285 64286 6ca8bca7 64285->64286 64287 6ca950d5 __wsopen_s 18 API calls 64286->64287 64289 6ca8bcad __wsopen_s 64287->64289 64288 6ca850c3 64291 6ca84f2e 64288->64291 64289->64288 64301 6ca87eab HeapFree GetLastError _free 64289->64301 64293 6ca84f40 64291->64293 64295 6ca84f5e 64291->64295 64292 6ca84f4e 64302 6ca83810 18 API calls __cftoe 64292->64302 64293->64292 64293->64295 64297 6ca84f76 _Yarn 64293->64297 64300 6ca8bd49 62 API calls 64295->64300 64296 6ca843a9 62 API calls 64296->64297 64297->64295 64297->64296 64298 6ca8d350 18 API calls 64297->64298 64299 6ca8f25c __wsopen_s 62 API calls 64297->64299 64298->64297 64299->64297 64300->64282 64301->64288 64302->64295 64304 6ca79715 64303->64304 64305 6c942020 52 API calls 64304->64305 64306 6ca797b6 64305->64306 64307 6ca7a133 std::_Facet_Register 4 API calls 64306->64307 64308 6ca797ee 64307->64308 64309 6ca7aa17 43 API calls 64308->64309 64310 6ca79802 64309->64310 64311 6c941d90 89 API calls 64310->64311 64312 6ca798ab 64311->64312 64313 6ca798dc 64312->64313 64357 6c942250 30 API calls 64312->64357 64313->63803 64315 6ca79916 64358 6c9426e0 24 API calls 4 library calls 64315->64358 64317 6ca79928 64359 6ca7ca69 RaiseException 64317->64359 64319 6ca7993d 64360 6c93e010 67 API calls 64319->64360 64321 6ca7994f 64321->63803 64323 6ca79a7d 64322->64323 64361 6ca79c90 64323->64361 64326 6ca79b6c 64326->63811 64329 6ca79a95 64329->64326 64379 6c942250 30 API calls 64329->64379 64380 6c9426e0 24 API calls 4 library calls 64329->64380 64381 6ca7ca69 RaiseException 64329->64381 64331 6c95304f 64330->64331 64335 6c953063 64331->64335 64390 6c943560 32 API calls std::_Xinvalid_argument 64331->64390 64334 6c95311e 64337 6c953131 64334->64337 64391 6c9437e0 32 API calls std::_Xinvalid_argument 64334->64391 64335->64334 64392 6c942250 30 API calls 64335->64392 64393 6c9426e0 24 API calls 4 library calls 64335->64393 64394 6ca7ca69 RaiseException 64335->64394 64337->63811 64341 6ca7928e 64340->64341 64344 6ca792c1 64340->64344 64342 6c9401f0 64 API calls 64341->64342 64345 6ca792b4 64342->64345 64343 6ca79373 64343->63815 64344->64343 64395 6c942250 30 API calls 64344->64395 64347 6ca84208 67 API calls 64345->64347 64347->64344 64348 6ca7939e 64396 6c942340 24 API calls 64348->64396 64350 6ca793ae 64397 6ca7ca69 RaiseException 64350->64397 64352 6ca793b9 64398 6c93e010 67 API calls 64352->64398 64354 6ca79412 std::ios_base::_Ios_base_dtor 64354->63815 64355->63807 64356->63812 64357->64315 64358->64317 64359->64319 64360->64321 64362 6ca79ccc 64361->64362 64363 6ca79cf8 64361->64363 64364 6ca79cf1 64362->64364 64384 6c942250 30 API calls 64362->64384 64367 6ca79d09 64363->64367 64382 6c943560 32 API calls std::_Xinvalid_argument 64363->64382 64364->64329 64367->64364 64383 6c942f60 42 API calls 4 library calls 64367->64383 64368 6ca79ed8 64385 6c942340 24 API calls 64368->64385 64370 6ca79ee7 64386 6ca7ca69 RaiseException 64370->64386 64374 6ca79f17 64388 6c942340 24 API calls 64374->64388 64376 6ca79f2d 64389 6ca7ca69 RaiseException 64376->64389 64378 6ca79d43 64378->64364 64387 6c942250 30 API calls 64378->64387 64379->64329 64380->64329 64381->64329 64382->64367 64383->64378 64384->64368 64385->64370 64386->64378 64387->64374 64388->64376 64389->64364 64390->64335 64391->64337 64392->64335 64393->64335 64394->64335 64395->64348 64396->64350 64397->64352 64398->64354 64399 6c8f3d62 64401 6c8f3bc0 64399->64401 64400 6c8f3e8a GetCurrentThread NtSetInformationThread 64402 6c8f3eea 64400->64402 64401->64400

                                  Executed Functions

                                  Function 6C8F4754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: _strlen
                                  • String ID: HR^
                                  • API String ID: 4218353326-1341859651
                                  • Opcode ID: 2c38d22af98724ab125c8409c211f26e16376542949b84633fcaef4b4649a2e2
                                  • Instruction ID: 2fa7ea3f5d5886a5f5361f3f41a06fc438c9f2ec84d3521f2b80fa3372c0a7fc
                                  • Opcode Fuzzy Hash: 2c38d22af98724ab125c8409c211f26e16376542949b84633fcaef4b4649a2e2
                                  • Instruction Fuzzy Hash: 9A74F431644B028FC738CF28C9D0A95B7E2FF95318B198E6DC0A68BA55E774B54BCB50
                                  Function 6CA78930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4604 6ca78930-6ca78964 CreateToolhelp32Snapshot 4605 6ca78980-6ca78989 4604->4605 4606 6ca789d0-6ca789d5 4605->4606 4607 6ca7898b-6ca78990 4605->4607 4610 6ca789d7-6ca789dc 4606->4610 4611 6ca78a34-6ca78a62 call 6ca7f010 Process32FirstW 4606->4611 4608 6ca78992-6ca78997 4607->4608 4609 6ca78a0d-6ca78a12 4607->4609 4612 6ca78966-6ca78973 4608->4612 4613 6ca78999-6ca7899e 4608->4613 4616 6ca78a14-6ca78a2f CloseHandle 4609->4616 4617 6ca78a8b-6ca78a90 4609->4617 4614 6ca78a64-6ca78a71 Process32NextW 4610->4614 4615 6ca789e2-6ca789e7 4610->4615 4619 6ca78a76-6ca78a86 4611->4619 4612->4605 4613->4605 4621 6ca789a0-6ca789ca call 6ca862f5 4613->4621 4614->4619 4615->4605 4622 6ca789e9-6ca78a08 4615->4622 4616->4605 4617->4605 4620 6ca78a96-6ca78aa4 4617->4620 4619->4605 4621->4605 4622->4605
                                  APIs
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA7893E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CreateSnapshotToolhelp32
                                  • String ID:
                                  • API String ID: 3332741929-0
                                  • Opcode ID: 90bdb238172bf832e1feb64a2ffeaba88331ed2352501d81950cf31d7dcbc38c
                                  • Instruction ID: 168bcc607758c2a0a480e9a6cb35fed79fd6616d2c4a3c51dc77ed8a48796c4c
                                  • Opcode Fuzzy Hash: 90bdb238172bf832e1feb64a2ffeaba88331ed2352501d81950cf31d7dcbc38c
                                  • Instruction Fuzzy Hash: 55318D74209305AFDB229F58C88474ABBE4FF89708F14492EF488E7360D730D8898B63
                                  Function 6C8F3886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4877 6c8f3886-6c8f388e 4878 6c8f3894-6c8f3896 4877->4878 4879 6c8f3970-6c8f397d 4877->4879 4878->4879 4882 6c8f389c-6c8f38b9 4878->4882 4880 6c8f397f-6c8f3989 4879->4880 4881 6c8f39f1-6c8f39f8 4879->4881 4880->4882 4883 6c8f398f-6c8f3994 4880->4883 4884 6c8f39fe-6c8f3a03 4881->4884 4885 6c8f3ab5-6c8f3aba 4881->4885 4886 6c8f38c0-6c8f38c1 4882->4886 4887 6c8f399a-6c8f399f 4883->4887 4888 6c8f3b16-6c8f3b18 4883->4888 4889 6c8f3a09-6c8f3a2f 4884->4889 4890 6c8f38d2-6c8f38d4 4884->4890 4885->4882 4892 6c8f3ac0-6c8f3ac7 4885->4892 4891 6c8f395e 4886->4891 4894 6c8f383b-6c8f3855 call 6ca42a20 call 6ca42a30 4887->4894 4895 6c8f39a5-6c8f39bf 4887->4895 4888->4886 4896 6c8f38f8-6c8f3955 4889->4896 4897 6c8f3a35-6c8f3a3a 4889->4897 4898 6c8f3957-6c8f395c 4890->4898 4899 6c8f3960-6c8f3964 4891->4899 4892->4886 4893 6c8f3acd-6c8f3ad6 4892->4893 4893->4888 4902 6c8f3ad8-6c8f3aeb 4893->4902 4901 6c8f3860-6c8f3885 4894->4901 4903 6c8f3a5a-6c8f3a5d 4895->4903 4896->4898 4904 6c8f3b1d-6c8f3b22 4897->4904 4905 6c8f3a40-6c8f3a57 4897->4905 4898->4891 4900 6c8f396a 4899->4900 4899->4901 4908 6c8f3ba1-6c8f3bb6 4900->4908 4901->4877 4902->4896 4909 6c8f3af1-6c8f3af8 4902->4909 4913 6c8f3aa9-6c8f3ab0 4903->4913 4911 6c8f3b49-6c8f3b50 4904->4911 4912 6c8f3b24-6c8f3b44 4904->4912 4905->4903 4920 6c8f3bc0-6c8f3bda call 6ca42a20 call 6ca42a30 4908->4920 4915 6c8f3afa-6c8f3aff 4909->4915 4916 6c8f3b62-6c8f3b85 4909->4916 4911->4886 4919 6c8f3b56-6c8f3b5d 4911->4919 4912->4913 4913->4899 4915->4898 4916->4896 4923 6c8f3b8b 4916->4923 4919->4899 4928 6c8f3be0-6c8f3bfe 4920->4928 4923->4908 4931 6c8f3e7b 4928->4931 4932 6c8f3c04-6c8f3c11 4928->4932 4933 6c8f3e81-6c8f3ee0 call 6c8f3750 GetCurrentThread NtSetInformationThread 4931->4933 4934 6c8f3c17-6c8f3c20 4932->4934 4935 6c8f3ce0-6c8f3cea 4932->4935 4953 6c8f3eea-6c8f3f04 call 6ca42a20 call 6ca42a30 4933->4953 4936 6c8f3c26-6c8f3c2d 4934->4936 4937 6c8f3dc5 4934->4937 4939 6c8f3cec-6c8f3d0c 4935->4939 4940 6c8f3d3a-6c8f3d3c 4935->4940 4941 6c8f3dc3 4936->4941 4942 6c8f3c33-6c8f3c3a 4936->4942 4944 6c8f3dc6 4937->4944 4945 6c8f3d90-6c8f3d95 4939->4945 4946 6c8f3d3e-6c8f3d45 4940->4946 4947 6c8f3d70-6c8f3d8d 4940->4947 4941->4937 4951 6c8f3e26-6c8f3e2b 4942->4951 4952 6c8f3c40-6c8f3c5b 4942->4952 4950 6c8f3dc8-6c8f3dcc 4944->4950 4948 6c8f3dba-6c8f3dc1 4945->4948 4949 6c8f3d97-6c8f3db8 4945->4949 4954 6c8f3d50-6c8f3d57 4946->4954 4947->4945 4948->4941 4955 6c8f3dd7-6c8f3ddc 4948->4955 4949->4937 4950->4928 4956 6c8f3dd2 4950->4956 4957 6c8f3c7b-6c8f3cd0 4951->4957 4958 6c8f3e31 4951->4958 4959 6c8f3e1b-6c8f3e24 4952->4959 4971 6c8f3f75-6c8f3fa1 4953->4971 4954->4944 4961 6c8f3dde-6c8f3e17 4955->4961 4962 6c8f3e36-6c8f3e3d 4955->4962 4963 6c8f3e76-6c8f3e79 4956->4963 4957->4954 4958->4920 4959->4950 4959->4963 4961->4959 4966 6c8f3e3f-6c8f3e5a 4962->4966 4967 6c8f3e5c-6c8f3e5f 4962->4967 4963->4933 4966->4959 4967->4957 4969 6c8f3e65-6c8f3e69 4967->4969 4969->4950 4969->4963 4975 6c8f3fa3-6c8f3fa8 4971->4975 4976 6c8f4020-6c8f4026 4971->4976 4979 6c8f3fae-6c8f3fcf 4975->4979 4980 6c8f407c-6c8f4081 4975->4980 4977 6c8f402c-6c8f403c 4976->4977 4978 6c8f3f06-6c8f3f35 4976->4978 4982 6c8f403e-6c8f4058 4977->4982 4983 6c8f40b3-6c8f40b8 4977->4983 4981 6c8f3f38-6c8f3f61 4978->4981 4984 6c8f40aa-6c8f40ae 4979->4984 4980->4984 4985 6c8f4083-6c8f408a 4980->4985 4986 6c8f3f64-6c8f3f67 4981->4986 4987 6c8f405a-6c8f4063 4982->4987 4983->4979 4990 6c8f40be-6c8f40c9 4983->4990 4988 6c8f3f6b-6c8f3f6f 4984->4988 4985->4981 4989 6c8f4090 4985->4989 4991 6c8f3f69 4986->4991 4992 6c8f4069-6c8f406c 4987->4992 4993 6c8f40f5-6c8f413f 4987->4993 4988->4971 4989->4953 4994 6c8f40a7 4989->4994 4990->4984 4995 6c8f40cb-6c8f40d4 4990->4995 4991->4988 4997 6c8f4144-6c8f414b 4992->4997 4998 6c8f4072-6c8f4077 4992->4998 4993->4991 4994->4984 4995->4994 4999 6c8f40d6-6c8f40f0 4995->4999 4997->4988 4998->4986 4999->4987
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ff71d0e8773dab73762fb83bf9b29c8b74a0eb504801338675b268c44827ce7
                                  • Instruction ID: a243140103149b780510576d459303c1f95867345ab38887386216cfac87955a
                                  • Opcode Fuzzy Hash: 8ff71d0e8773dab73762fb83bf9b29c8b74a0eb504801338675b268c44827ce7
                                  • Instruction Fuzzy Hash: 1732F132245B018FC334CF28C990695B7E3EFD1354B6A8E6DC0BA4BA95D774B84B8B51
                                  Function 6C8F3A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: 0e2da79714b02a9e6d0b3b645e6d43ae7163ee91c157c020cfc2f83c35f8f403
                                  • Instruction ID: 62cf06e68af42e1773b00b4eeacf8213f55a0de4195df556b844f90b22c0e213
                                  • Opcode Fuzzy Hash: 0e2da79714b02a9e6d0b3b645e6d43ae7163ee91c157c020cfc2f83c35f8f403
                                  • Instruction Fuzzy Hash: 2851DE31114B018FC3318F28CA80785B7A3AFD1394F6A8E5DC0F65BA91DB74B94B8B52
                                  Function 6C8F39CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CurrentThread
                                  • String ID:
                                  • API String ID: 2882836952-0
                                  • Opcode ID: fa45e15f9d25689e492dac5605dc193954bcb4692df7a57b879bd209889f9891
                                  • Instruction ID: 89cc7d472255e7eee610452d44d042b42c560e731905f5d1fe6c7567775879bf
                                  • Opcode Fuzzy Hash: fa45e15f9d25689e492dac5605dc193954bcb4692df7a57b879bd209889f9891
                                  • Instruction Fuzzy Hash: 5B51BD31114B058BC330CF28C680795B7A3AFD5394F6A8E5DC0F65BA95DB70B94B8B52
                                  Function 6C8F3D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 6C8F3E9D
                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8F3EAA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Thread$CurrentInformation
                                  • String ID:
                                  • API String ID: 1650627709-0
                                  • Opcode ID: 0071f5e139c75f30adc90e998fd9441f29fe8ad2e8440224e60461244ffb02d9
                                  • Instruction ID: ae57adf2478aa910e87d55765b1cc40f219f00e62637f3c4d9b747b62dac968d
                                  • Opcode Fuzzy Hash: 0071f5e139c75f30adc90e998fd9441f29fe8ad2e8440224e60461244ffb02d9
                                  • Instruction Fuzzy Hash: B2310331115B058BD330CF24C9847C6B7A3EFD6354F698E1DC0B65BA80DBB4784A8B62
                                  Function 6C8F3D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 6C8F3E9D
                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8F3EAA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Thread$CurrentInformation
                                  • String ID:
                                  • API String ID: 1650627709-0
                                  • Opcode ID: 0f9cdd2ba877c97d2a437f5dd8be0febac352e3d77a226ae603ad3fd1bf36a25
                                  • Instruction ID: 13104a5ab226afa1e2c703cba74d8172f8a69f685a01864d7ede3aa1c958b002
                                  • Opcode Fuzzy Hash: 0f9cdd2ba877c97d2a437f5dd8be0febac352e3d77a226ae603ad3fd1bf36a25
                                  • Instruction Fuzzy Hash: D6312131114B058BD734CF28C694796B7B2EF92384F654E1DC0F65BA81DBB1784ACB52
                                  Function 6CA78810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                  • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA78820
                                  • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6CA788C5
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Open$ManagerService
                                  • String ID:
                                  • API String ID: 2351955762-0
                                  • Opcode ID: 9132ebef7341b8e64211f31fda05a8de20bbef57286f6484a2b44b7be0c369d5
                                  • Instruction ID: 1c612faea1d619273e901476dc98e85e2e80c8771ca7a897363dcf7b0216b1ab
                                  • Opcode Fuzzy Hash: 9132ebef7341b8e64211f31fda05a8de20bbef57286f6484a2b44b7be0c369d5
                                  • Instruction Fuzzy Hash: 7E31F878518341AFC7119F29C849A0EBBF0BB89794F54896AF498E7261D271C8888B63
                                  Function 6C8F3C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentThread.KERNEL32 ref: 6C8F3E9D
                                  • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C8F3EAA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Thread$CurrentInformation
                                  • String ID:
                                  • API String ID: 1650627709-0
                                  • Opcode ID: 6088187c04f19d8d7d7d5d575612b0c3fc64d574807952fd5fd3a2b247289c55
                                  • Instruction ID: cf1fc1c9cc3eb443b0770d636cf4c0b7dcf7e7d2559378e1f657a11083921b1f
                                  • Opcode Fuzzy Hash: 6088187c04f19d8d7d7d5d575612b0c3fc64d574807952fd5fd3a2b247289c55
                                  • Instruction Fuzzy Hash: 0B2108301187058BD774CF24CA9479677B2AFD2384F544E2DC0B697A80DB74794A8B52
                                  Function 6CA6E090 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(?,?), ref: 6CA6E0AC
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: FileFindFirst
                                  • String ID:
                                  • API String ID: 1974802433-0
                                  • Opcode ID: 5f6470db5d38d08270f20537095e1db7a27aa3e4960be617d22dbff6d0ce8e7d
                                  • Instruction ID: b20dc98548659bc9397d247bd012432cb32c0d0cd9ad69f2c0b3f8baeb25aaef
                                  • Opcode Fuzzy Hash: 5f6470db5d38d08270f20537095e1db7a27aa3e4960be617d22dbff6d0ce8e7d
                                  • Instruction Fuzzy Hash: EF11287454C2519FC711CF29C944A4ABBE4AF86714F188D4AE4E8C7A90E734D8988B92
                                  Function 6CA901C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3722 6ca901c3-6ca901d3 3723 6ca901ed-6ca901ef 3722->3723 3724 6ca901d5-6ca901e8 call 6ca830cf call 6ca830bc 3722->3724 3726 6ca901f5-6ca901fb 3723->3726 3727 6ca90554-6ca90561 call 6ca830cf call 6ca830bc 3723->3727 3740 6ca9056c 3724->3740 3726->3727 3730 6ca90201-6ca90227 3726->3730 3745 6ca90567 call 6ca83810 3727->3745 3730->3727 3733 6ca9022d-6ca90236 3730->3733 3736 6ca90238-6ca9024b call 6ca830cf call 6ca830bc 3733->3736 3737 6ca90250-6ca90252 3733->3737 3736->3745 3738 6ca90258-6ca9025b 3737->3738 3739 6ca90550-6ca90552 3737->3739 3738->3739 3743 6ca90261-6ca90265 3738->3743 3744 6ca9056f-6ca90572 3739->3744 3740->3744 3743->3736 3747 6ca90267-6ca9027e 3743->3747 3745->3740 3750 6ca902cf-6ca902d5 3747->3750 3751 6ca90280-6ca90283 3747->3751 3753 6ca9029b-6ca902b2 call 6ca830cf call 6ca830bc call 6ca83810 3750->3753 3754 6ca902d7-6ca902e1 3750->3754 3755 6ca90293-6ca90299 3751->3755 3756 6ca90285-6ca9028e 3751->3756 3789 6ca90487 3753->3789 3757 6ca902e8-6ca90306 call 6ca87ee5 call 6ca87eab * 2 3754->3757 3758 6ca902e3-6ca902e5 3754->3758 3755->3753 3760 6ca902b7-6ca902ca 3755->3760 3759 6ca90353-6ca90363 3756->3759 3793 6ca90308-6ca9031e call 6ca830bc call 6ca830cf 3757->3793 3794 6ca90323-6ca9034c call 6ca8e359 3757->3794 3758->3757 3762 6ca90369-6ca90375 3759->3762 3763 6ca90428-6ca90431 call 6ca950d5 3759->3763 3760->3759 3762->3763 3766 6ca9037b-6ca9037d 3762->3766 3777 6ca90433-6ca90445 3763->3777 3778 6ca904a4 3763->3778 3766->3763 3770 6ca90383-6ca903a7 3766->3770 3770->3763 3774 6ca903a9-6ca903bf 3770->3774 3774->3763 3779 6ca903c1-6ca903c3 3774->3779 3777->3778 3783 6ca90447-6ca90456 GetConsoleMode 3777->3783 3781 6ca904a8-6ca904c0 ReadFile 3778->3781 3779->3763 3785 6ca903c5-6ca903eb 3779->3785 3787 6ca9051c-6ca90527 GetLastError 3781->3787 3788 6ca904c2-6ca904c8 3781->3788 3783->3778 3784 6ca90458-6ca9045c 3783->3784 3784->3781 3790 6ca9045e-6ca90478 ReadConsoleW 3784->3790 3785->3763 3792 6ca903ed-6ca90403 3785->3792 3795 6ca90529-6ca9053b call 6ca830bc call 6ca830cf 3787->3795 3796 6ca90540-6ca90543 3787->3796 3788->3787 3797 6ca904ca 3788->3797 3791 6ca9048a-6ca90494 call 6ca87eab 3789->3791 3798 6ca90499-6ca904a2 3790->3798 3799 6ca9047a GetLastError 3790->3799 3791->3744 3792->3763 3803 6ca90405-6ca90407 3792->3803 3793->3789 3794->3759 3795->3789 3800 6ca90549-6ca9054b 3796->3800 3801 6ca90480-6ca90486 call 6ca830e2 3796->3801 3807 6ca904cd-6ca904df 3797->3807 3798->3807 3799->3801 3800->3791 3801->3789 3803->3763 3812 6ca90409-6ca90423 3803->3812 3807->3791 3809 6ca904e1-6ca904e5 3807->3809 3816 6ca904fe-6ca90509 3809->3816 3817 6ca904e7-6ca904f7 call 6ca905ee 3809->3817 3812->3763 3822 6ca9050b call 6ca90573 3816->3822 3823 6ca90515-6ca9051a call 6ca908a6 3816->3823 3828 6ca904fa-6ca904fc 3817->3828 3829 6ca90510-6ca90513 3822->3829 3823->3829 3828->3791 3829->3828
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8Q
                                  • API String ID: 0-4022487301
                                  • Opcode ID: ce45926cc061e1b859e4bf75e77e8b5d761a79359b6638531fd469087ba1eb40
                                  • Instruction ID: 0c8d7a45160ee80e704f2eadc2467cfb5fcf8cbc5629e646878df7cc368fb0cc
                                  • Opcode Fuzzy Hash: ce45926cc061e1b859e4bf75e77e8b5d761a79359b6638531fd469087ba1eb40
                                  • Instruction Fuzzy Hash: 83C10370A152899FDF01CF9CC881BAEBBF0AF4E358F144159E954ABB81C73199C9CB61
                                  Function 6CA9775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3831 6ca9775c-6ca9778c call 6ca97bdc 3834 6ca9778e-6ca97799 call 6ca830cf 3831->3834 3835 6ca977a7-6ca977b3 call 6ca94cfc 3831->3835 3840 6ca9779b-6ca977a2 call 6ca830bc 3834->3840 3841 6ca977cc-6ca97815 call 6ca97b47 3835->3841 3842 6ca977b5-6ca977ca call 6ca830cf call 6ca830bc 3835->3842 3852 6ca97a81-6ca97a85 3840->3852 3850 6ca97882-6ca9788b GetFileType 3841->3850 3851 6ca97817-6ca97820 3841->3851 3842->3840 3856 6ca9788d-6ca978be GetLastError call 6ca830e2 CloseHandle 3850->3856 3857 6ca978d4-6ca978d7 3850->3857 3854 6ca97822-6ca97826 3851->3854 3855 6ca97857-6ca9787d GetLastError call 6ca830e2 3851->3855 3854->3855 3861 6ca97828-6ca97855 call 6ca97b47 3854->3861 3855->3840 3856->3840 3868 6ca978c4-6ca978cf call 6ca830bc 3856->3868 3859 6ca978d9-6ca978de 3857->3859 3860 6ca978e0-6ca978e6 3857->3860 3864 6ca978ea-6ca97938 call 6ca94ea0 3859->3864 3860->3864 3865 6ca978e8 3860->3865 3861->3850 3861->3855 3874 6ca9793a-6ca97946 call 6ca97d56 3864->3874 3875 6ca97957-6ca9797f call 6ca97e00 3864->3875 3865->3864 3868->3840 3874->3875 3882 6ca97948 3874->3882 3880 6ca97981-6ca97982 3875->3880 3881 6ca97984-6ca979c5 3875->3881 3883 6ca9794a-6ca97952 call 6ca8f015 3880->3883 3884 6ca979c7-6ca979cb 3881->3884 3885 6ca979e6-6ca979f4 3881->3885 3882->3883 3883->3852 3884->3885 3887 6ca979cd-6ca979e1 3884->3887 3888 6ca979fa-6ca979fe 3885->3888 3889 6ca97a7f 3885->3889 3887->3885 3888->3889 3891 6ca97a00-6ca97a33 CloseHandle call 6ca97b47 3888->3891 3889->3852 3894 6ca97a35-6ca97a61 GetLastError call 6ca830e2 call 6ca94e0f 3891->3894 3895 6ca97a67-6ca97a7b 3891->3895 3894->3895 3895->3889
                                  APIs
                                    • Part of subcall function 6CA97B47: CreateFileW.KERNEL32(00000000,00000000,?,6CA97805,?,?,00000000,?,6CA97805,00000000,0000000C), ref: 6CA97B64
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA97870
                                  • __dosmaperr.LIBCMT ref: 6CA97877
                                  • GetFileType.KERNEL32(00000000), ref: 6CA97883
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA9788D
                                  • __dosmaperr.LIBCMT ref: 6CA97896
                                  • CloseHandle.KERNEL32(00000000), ref: 6CA978B6
                                  • CloseHandle.KERNEL32(6CA8E7C0), ref: 6CA97A03
                                  • GetLastError.KERNEL32 ref: 6CA97A35
                                  • __dosmaperr.LIBCMT ref: 6CA97A3C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                  • String ID: 8Q
                                  • API String ID: 4237864984-4022487301
                                  • Opcode ID: 83b4fb48958f16f1310dab6de82f1c68d09acd5f40b80f782e4f70035713c7d1
                                  • Instruction ID: 5bf358ff9e75313bb136bbfa7153eacceb48e04bb628e101736e131a8f833bbb
                                  • Opcode Fuzzy Hash: 83b4fb48958f16f1310dab6de82f1c68d09acd5f40b80f782e4f70035713c7d1
                                  • Instruction Fuzzy Hash: 9DA11432A241159FCF099F68C892BAE7BF1AB47328F18414DE811EF790D735898AC761
                                  Function 6CA4B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6CA4B62F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID: *$,=ym$-=ym$-=ym$B$H
                                  • API String ID: 3934441357-3163594065
                                  • Opcode ID: e17b4927af2a55f8d78c4b16d6a9572bf27487392b4921a861d85420db37b9a4
                                  • Instruction ID: 11654b0f9bae5fd56ee8c038efd42223304c5e049c7a2c57935c3f7eb509b44f
                                  • Opcode Fuzzy Hash: e17b4927af2a55f8d78c4b16d6a9572bf27487392b4921a861d85420db37b9a4
                                  • Instruction Fuzzy Hash: 7B7269746097459FCB24CF28E49065EB7E1AF89308F28CE1EE499CBB50E774D8858B53
                                  Function 6C8F4200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ;T55
                                  • API String ID: 0-2572755013
                                  • Opcode ID: 43458cac3392b60ab6d8307e7ea7556c5db1fa1f27a17b72247c79b1f8af7196
                                  • Instruction ID: 833c54699f73f75e3e3f20dd5aad4a22008c412aeed8081e8edf7861e8a2d811
                                  • Opcode Fuzzy Hash: 43458cac3392b60ab6d8307e7ea7556c5db1fa1f27a17b72247c79b1f8af7196
                                  • Instruction Fuzzy Hash: F703D231745B018FC728CF28C8D0696B7E3AFD5328719CB6DC0AA4BA95DB74B54ACB50
                                  Function 6CA786E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4469 6ca786e0-6ca78767 CreateProcessA 4470 6ca7878b-6ca78794 4469->4470 4471 6ca78796-6ca7879b 4470->4471 4472 6ca787b0-6ca787fa WaitForSingleObject CloseHandle * 2 4470->4472 4473 6ca78770-6ca78783 4471->4473 4474 6ca7879d-6ca787a2 4471->4474 4472->4470 4473->4470 4474->4470 4475 6ca787a4-6ca78807 4474->4475
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CloseHandle$CreateObjectProcessSingleWait
                                  • String ID: D
                                  • API String ID: 2059082233-2746444292
                                  • Opcode ID: 0b85b3b96ea370427a1ce3925cdecc8d759cbf14dd8c8d11d5fee2b4cb232c35
                                  • Instruction ID: 0eddd754bc336805e880f556f1aa182dbdacba312eebb58df9eefc700b9981a3
                                  • Opcode Fuzzy Hash: 0b85b3b96ea370427a1ce3925cdecc8d759cbf14dd8c8d11d5fee2b4cb232c35
                                  • Instruction Fuzzy Hash: 8D31DEB59093808FD750DF28C18471ABBF0BB99318F505A1EF899A7360D7B899848B53
                                  Function 6CA8F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4477 6ca8f34e-6ca8f36a 4478 6ca8f529 4477->4478 4479 6ca8f370-6ca8f372 4477->4479 4480 6ca8f52b-6ca8f52f 4478->4480 4481 6ca8f394-6ca8f3b5 4479->4481 4482 6ca8f374-6ca8f387 call 6ca830cf call 6ca830bc call 6ca83810 4479->4482 4483 6ca8f3bc-6ca8f3c2 4481->4483 4484 6ca8f3b7-6ca8f3ba 4481->4484 4497 6ca8f38c-6ca8f38f 4482->4497 4483->4482 4486 6ca8f3c4-6ca8f3c9 4483->4486 4484->4483 4484->4486 4489 6ca8f3da-6ca8f3eb call 6ca8f530 4486->4489 4490 6ca8f3cb-6ca8f3d7 call 6ca8e359 4486->4490 4498 6ca8f42c-6ca8f43e 4489->4498 4499 6ca8f3ed-6ca8f3ef 4489->4499 4490->4489 4497->4480 4500 6ca8f440-6ca8f449 4498->4500 4501 6ca8f485-6ca8f4a7 WriteFile 4498->4501 4502 6ca8f3f1-6ca8f3f9 4499->4502 4503 6ca8f416-6ca8f422 call 6ca8f5a1 4499->4503 4509 6ca8f44b-6ca8f44e 4500->4509 4510 6ca8f475-6ca8f483 call 6ca8f9b3 4500->4510 4506 6ca8f4a9-6ca8f4af GetLastError 4501->4506 4507 6ca8f4b2 4501->4507 4504 6ca8f4bb-6ca8f4be 4502->4504 4505 6ca8f3ff-6ca8f40c call 6ca8f94b 4502->4505 4513 6ca8f427-6ca8f42a 4503->4513 4515 6ca8f4c1-6ca8f4c6 4504->4515 4520 6ca8f40f-6ca8f411 4505->4520 4506->4507 4514 6ca8f4b5-6ca8f4ba 4507->4514 4516 6ca8f450-6ca8f453 4509->4516 4517 6ca8f465-6ca8f473 call 6ca8fb77 4509->4517 4510->4513 4513->4520 4514->4504 4521 6ca8f4c8-6ca8f4cd 4515->4521 4522 6ca8f524-6ca8f527 4515->4522 4516->4515 4523 6ca8f455-6ca8f463 call 6ca8fa8e 4516->4523 4517->4513 4520->4514 4526 6ca8f4f9-6ca8f505 4521->4526 4527 6ca8f4cf-6ca8f4d4 4521->4527 4522->4480 4523->4513 4529 6ca8f50c-6ca8f51f call 6ca830bc call 6ca830cf 4526->4529 4530 6ca8f507-6ca8f50a 4526->4530 4531 6ca8f4ed-6ca8f4f4 call 6ca830e2 4527->4531 4532 6ca8f4d6-6ca8f4e8 call 6ca830bc call 6ca830cf 4527->4532 4529->4497 4530->4478 4530->4529 4531->4497 4532->4497
                                  APIs
                                    • Part of subcall function 6CA8F5A1: GetConsoleCP.KERNEL32(?,6CA8E7C0,?), ref: 6CA8F5E9
                                  • WriteFile.KERNEL32(?,?,6CA97DDC,00000000,00000000,?,00000000,00000000,6CA991A6,00000000,00000000,?,00000000,6CA8E7C0,6CA97DDC,00000000), ref: 6CA8F49F
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA97DDC,6CA8E7C0,00000000,?,?,?,?,00000000,?), ref: 6CA8F4A9
                                  • __dosmaperr.LIBCMT ref: 6CA8F4EE
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ConsoleErrorFileLastWrite__dosmaperr
                                  • String ID: 8Q
                                  • API String ID: 251514795-4022487301
                                  • Opcode ID: eb6b7d3a173c3d4344971aa8fb9ddf46260815d8047a74906989d7a316579889
                                  • Instruction ID: c58eaa1522671f40d3945012241b94c7dc4993d3bd3e81ce12fbc25ce751a80f
                                  • Opcode Fuzzy Hash: eb6b7d3a173c3d4344971aa8fb9ddf46260815d8047a74906989d7a316579889
                                  • Instruction Fuzzy Hash: 5F510871A0311BAFDB01DFA8CD40BDEBBB9EF09318F14051AE510ABA81D735D9C98761
                                  Function 6CA79280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4544 6ca79280-6ca7928c 4545 6ca7928e-6ca79299 4544->4545 4546 6ca792cd 4544->4546 4547 6ca792af-6ca792bc call 6c9401f0 call 6ca84208 4545->4547 4548 6ca7929b-6ca792ad 4545->4548 4549 6ca792cf-6ca79347 4546->4549 4558 6ca792c1-6ca792cb 4547->4558 4548->4547 4551 6ca79373-6ca79379 4549->4551 4552 6ca79349-6ca79371 4549->4552 4552->4551 4553 6ca7937a-6ca79439 call 6c942250 call 6c942340 call 6ca7ca69 call 6c93e010 call 6ca7a778 4552->4553 4558->4549
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA79421
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 323602529-1866435925
                                  • Opcode ID: d42fbdae57c72ff974c2442dbce2552478c2f0f479adf4f78c282c82b67aa295
                                  • Instruction ID: 67925bd8b33bc7a0a2ec0f5c183680a072be941d7db95362433ff5ee0e117439
                                  • Opcode Fuzzy Hash: d42fbdae57c72ff974c2442dbce2552478c2f0f479adf4f78c282c82b67aa295
                                  • Instruction Fuzzy Hash: 655132B5900B008FD725CF29C585B97BBF1BB59318F048A2DD8864BB90D775A94ACBA0
                                  Function 6CA4CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4567 6ca4cea0-6ca4cf03 call 6ca7a260 4570 6ca4cf40-6ca4cf49 4567->4570 4571 6ca4cf90-6ca4cf95 4570->4571 4572 6ca4cf4b-6ca4cf50 4570->4572 4575 6ca4d030-6ca4d035 4571->4575 4576 6ca4cf9b-6ca4cfa0 4571->4576 4573 6ca4cf56-6ca4cf5b 4572->4573 4574 6ca4d000-6ca4d005 4572->4574 4581 6ca4d065-6ca4d08c 4573->4581 4582 6ca4cf61-6ca4cf66 4573->4582 4577 6ca4d125-6ca4d158 call 6ca7ea90 4574->4577 4578 6ca4d00b-6ca4d010 4574->4578 4579 6ca4d17d-6ca4d191 4575->4579 4580 6ca4d03b-6ca4d040 4575->4580 4583 6ca4cf05-6ca4cf21 WriteFile 4576->4583 4584 6ca4cfa6-6ca4cfab 4576->4584 4577->4570 4587 6ca4d016-6ca4d01b 4578->4587 4588 6ca4d15d-6ca4d175 4578->4588 4585 6ca4d195-6ca4d1a2 4579->4585 4589 6ca4d046-6ca4d060 4580->4589 4590 6ca4d1a7-6ca4d1ac 4580->4590 4593 6ca4cf33-6ca4cf38 4581->4593 4591 6ca4d091-6ca4d0aa WriteFile 4582->4591 4592 6ca4cf6c-6ca4cf71 4582->4592 4586 6ca4cf30 4583->4586 4595 6ca4cfb1-6ca4cfb6 4584->4595 4596 6ca4d0af-6ca4d120 WriteFile 4584->4596 4585->4570 4586->4593 4587->4570 4598 6ca4d021-6ca4d02b 4587->4598 4588->4579 4589->4585 4590->4570 4597 6ca4d1b2-6ca4d1c0 4590->4597 4591->4586 4592->4570 4599 6ca4cf73-6ca4cf86 4592->4599 4593->4570 4595->4570 4601 6ca4cfb8-6ca4cfee call 6ca7f010 ReadFile 4595->4601 4596->4586 4598->4586 4599->4593 4601->4586
                                  APIs
                                  • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6CA4CFE1
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: c49beb4e40756d8da04960abda32dafb9addd687d3e9d6a05912ceeb472e3f1c
                                  • Instruction ID: b5bbfbe39d7cfaf3884a8cdf2eabc513faa965c8c266472b695388f7140d0840
                                  • Opcode Fuzzy Hash: c49beb4e40756d8da04960abda32dafb9addd687d3e9d6a05912ceeb472e3f1c
                                  • Instruction Fuzzy Hash: 45714EB0609344AFD710DF19C884B5ABBE4BF89708F50892EF899C7660D375D988CF92
                                  Function 6CA4C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4626 6ca4c390-6ca4c406 call 6ca7a260 call 6ca7f010 4631 6ca4c426-6ca4c42f 4626->4631 4632 6ca4c490-6ca4c495 4631->4632 4633 6ca4c431-6ca4c436 4631->4633 4634 6ca4c570-6ca4c575 4632->4634 4635 6ca4c49b-6ca4c4a0 4632->4635 4636 6ca4c500-6ca4c505 4633->4636 4637 6ca4c43c-6ca4c441 4633->4637 4642 6ca4c6d6-6ca4c6db 4634->4642 4643 6ca4c57b-6ca4c580 4634->4643 4644 6ca4c4a6-6ca4c4ab 4635->4644 4645 6ca4c638-6ca4c63d 4635->4645 4640 6ca4c679-6ca4c67e 4636->4640 4641 6ca4c50b-6ca4c510 4636->4641 4638 6ca4c447-6ca4c44c 4637->4638 4639 6ca4c5bf-6ca4c5c4 4637->4639 4646 6ca4c742-6ca4c747 4638->4646 4647 6ca4c452-6ca4c457 4638->4647 4660 6ca4c863-6ca4c868 4639->4660 4661 6ca4c5ca-6ca4c5cf 4639->4661 4652 6ca4c684-6ca4c689 4640->4652 4653 6ca4c8e2-6ca4c8e7 4640->4653 4648 6ca4c516-6ca4c51b 4641->4648 4649 6ca4c7de-6ca4c7e3 4641->4649 4658 6ca4c6e1-6ca4c6e6 4642->4658 4659 6ca4c912-6ca4c917 4642->4659 4654 6ca4c586-6ca4c58b 4643->4654 4655 6ca4c830-6ca4c835 4643->4655 4656 6ca4c796-6ca4c79b 4644->4656 4657 6ca4c4b1-6ca4c4b6 4644->4657 4650 6ca4c643-6ca4c648 4645->4650 4651 6ca4c8ab-6ca4c8b0 4645->4651 4662 6ca4cca3-6ca4ccba 4646->4662 4663 6ca4c74d-6ca4c752 4646->4663 4678 6ca4c93d-6ca4c95b 4647->4678 4679 6ca4c45d-6ca4c462 4647->4679 4664 6ca4c521-6ca4c526 4648->4664 4665 6ca4c9a3-6ca4c9b3 4648->4665 4668 6ca4c7e9-6ca4c7ee 4649->4668 4669 6ca4ccfa-6ca4cd23 4649->4669 4680 6ca4c64e-6ca4c653 4650->4680 4681 6ca4cb08-6ca4cb34 4650->4681 4682 6ca4c8b6-6ca4c8bb 4651->4682 4683 6ca4cdda-6ca4cdf1 4651->4683 4686 6ca4cb61-6ca4cb85 4652->4686 4687 6ca4c68f-6ca4c694 4652->4687 4684 6ca4c8ed-6ca4c8f2 4653->4684 4685 6ca4cdf9-6ca4ce12 4653->4685 4670 6ca4c591-6ca4c596 4654->4670 4671 6ca4c9fe-6ca4ca3a 4654->4671 4672 6ca4cd6c-6ca4cd88 4655->4672 4673 6ca4c83b-6ca4c840 4655->4673 4666 6ca4c7a1-6ca4c7a6 4656->4666 4667 6ca4c408-6ca4c418 4656->4667 4688 6ca4c4bc-6ca4c4c1 4657->4688 4689 6ca4c97a-6ca4c984 4657->4689 4692 6ca4cc12-6ca4cc4d call 6ca7f010 call 6ca4b4d0 4658->4692 4693 6ca4c6ec-6ca4c6f1 4658->4693 4690 6ca4c91d-6ca4c922 4659->4690 4691 6ca4ce1a-6ca4ce29 4659->4691 4676 6ca4cdb7-6ca4cdbf 4660->4676 4677 6ca4c86e-6ca4c873 4660->4677 4674 6ca4c5d5-6ca4c5da 4661->4674 4675 6ca4ca71-6ca4ca9b call 6ca7ea90 4661->4675 4724 6ca4ccbc-6ca4ccc4 4662->4724 4695 6ca4c758-6ca4c75d 4663->4695 4696 6ca4ccc9-6ca4ccd8 4663->4696 4714 6ca4c52c-6ca4c531 4664->4714 4715 6ca4c9bd-6ca4c9c5 4664->4715 4665->4715 4698 6ca4cce0-6ca4ccf5 4666->4698 4699 6ca4c7ac-6ca4c7b1 4666->4699 4702 6ca4c41d 4667->4702 4700 6ca4c7f4-6ca4c7f9 4668->4700 4701 6ca4cd28-6ca4cd67 4668->4701 4669->4631 4717 6ca4ca43-6ca4ca6c 4670->4717 4718 6ca4c59c-6ca4c5a1 4670->4718 4671->4717 4694 6ca4cd8a-6ca4cd98 4672->4694 4703 6ca4c846-6ca4c84b 4673->4703 4704 6ca4cd9d-6ca4cdad 4673->4704 4719 6ca4caa0-6ca4cb03 call 6ca4ce50 CreateFileA 4674->4719 4720 6ca4c5e0-6ca4c5e5 4674->4720 4675->4631 4697 6ca4cdc4-6ca4cdd5 4676->4697 4705 6ca4ce31-6ca4ce36 4677->4705 4706 6ca4c879-6ca4c8a6 4677->4706 4678->4694 4707 6ca4c960-6ca4c975 4679->4707 4708 6ca4c468-6ca4c46d 4679->4708 4722 6ca4cb39-6ca4cb5c 4680->4722 4723 6ca4c659-6ca4c65e 4680->4723 4681->4631 4682->4631 4709 6ca4c8c1-6ca4c8dd 4682->4709 4683->4685 4684->4631 4710 6ca4c8f8-6ca4c90d 4684->4710 4685->4691 4686->4631 4725 6ca4cb8a-6ca4cc0d 4687->4725 4726 6ca4c69a-6ca4c69f 4687->4726 4711 6ca4c4c7-6ca4c4cc 4688->4711 4712 6ca4c989-6ca4c99e 4688->4712 4689->4631 4690->4631 4713 6ca4c928-6ca4c938 4690->4713 4691->4705 4752 6ca4cc52-6ca4cc72 4692->4752 4727 6ca4cc77-6ca4cc88 4693->4727 4728 6ca4c6f7-6ca4c6fc 4693->4728 4694->4631 4695->4631 4729 6ca4c763-6ca4c791 4695->4729 4696->4698 4697->4631 4698->4702 4699->4631 4730 6ca4c7b7-6ca4c7d9 4699->4730 4700->4631 4731 6ca4c7ff-6ca4c82b 4700->4731 4701->4631 4732 6ca4c420-6ca4c424 4702->4732 4703->4631 4734 6ca4c851-6ca4c85e 4703->4734 4704->4676 4705->4631 4733 6ca4ce3c-6ca4ce47 4705->4733 4706->4631 4707->4631 4708->4631 4735 6ca4c46f-6ca4c483 4708->4735 4736 6ca4cc8d-6ca4cc9e 4709->4736 4710->4631 4711->4631 4737 6ca4c4d2-6ca4c4fa call 6ca42a20 call 6ca42a30 4711->4737 4712->4732 4713->4697 4714->4631 4739 6ca4c537-6ca4c561 4714->4739 4738 6ca4c9ca-6ca4c9f9 4715->4738 4717->4631 4718->4631 4741 6ca4c5a7-6ca4c5ba 4718->4741 4719->4631 4720->4631 4743 6ca4c5eb-6ca4c633 4720->4743 4722->4631 4723->4631 4745 6ca4c664-6ca4c674 4723->4745 4724->4631 4725->4631 4726->4631 4746 6ca4c6a5-6ca4c6d1 4726->4746 4727->4736 4728->4631 4747 6ca4c702-6ca4c73d 4728->4747 4729->4724 4730->4694 4731->4631 4732->4631 4734->4738 4735->4697 4736->4631 4737->4631 4738->4631 4739->4631 4741->4631 4743->4631 4745->4738 4746->4631 4747->4631 4752->4631
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @*Z$@*Z
                                  • API String ID: 0-2842812045
                                  • Opcode ID: 22ab847bb4cee1ee740f6c81b2a3e4336049ef4f1544825aa5b7af33d718f82e
                                  • Instruction ID: fe0afb22b66b1a47b716e69c7e9129344e00de41fe41cff618cf94c748d95dfe
                                  • Opcode Fuzzy Hash: 22ab847bb4cee1ee740f6c81b2a3e4336049ef4f1544825aa5b7af33d718f82e
                                  • Instruction Fuzzy Hash: 924269746093428FCB14DF18C58166EBBE1AF89358F248D2EF49AC7761E731D9898B13
                                  Function 6CA8F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 4755 6ca8f015-6ca8f029 call 6ca94c92 4758 6ca8f02b-6ca8f02d 4755->4758 4759 6ca8f02f-6ca8f037 4755->4759 4760 6ca8f07d-6ca8f09d call 6ca94e0f 4758->4760 4761 6ca8f039-6ca8f040 4759->4761 4762 6ca8f042-6ca8f045 4759->4762 4770 6ca8f0ab 4760->4770 4771 6ca8f09f-6ca8f0a9 call 6ca830e2 4760->4771 4761->4762 4764 6ca8f04d-6ca8f061 call 6ca94c92 * 2 4761->4764 4765 6ca8f063-6ca8f073 call 6ca94c92 CloseHandle 4762->4765 4766 6ca8f047-6ca8f04b 4762->4766 4764->4758 4764->4765 4765->4758 4777 6ca8f075-6ca8f07b GetLastError 4765->4777 4766->4764 4766->4765 4775 6ca8f0ad-6ca8f0b0 4770->4775 4771->4775 4777->4760
                                  APIs
                                  • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA9794F), ref: 6CA8F06B
                                  • GetLastError.KERNEL32(?,00000000,?,6CA9794F), ref: 6CA8F075
                                  • __dosmaperr.LIBCMT ref: 6CA8F0A0
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CloseErrorHandleLast__dosmaperr
                                  • String ID:
                                  • API String ID: 2583163307-0
                                  • Opcode ID: ba703f2ba00b1f204117ef540ebd352663bf239e25424e95fe57f9a0ce48969f
                                  • Instruction ID: 845a11ad102fd77e8200499f2d6c793ada89332059a0e27288f62d650a0f1606
                                  • Opcode Fuzzy Hash: ba703f2ba00b1f204117ef540ebd352663bf239e25424e95fe57f9a0ce48969f
                                  • Instruction Fuzzy Hash: 7B0126337072252FD21512399D85BAE27B94B8373CF2D865DE924DBBC1FF6588C942A0
                                  Function 6CA8428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 5000 6ca8428c-6ca84297 5001 6ca84299-6ca842ac call 6ca830bc call 6ca83810 5000->5001 5002 6ca842ae-6ca842bb 5000->5002 5013 6ca84300-6ca84302 5001->5013 5004 6ca842bd-6ca842d2 call 6ca843a9 call 6ca8be2e call 6ca8d350 call 6ca8ef88 5002->5004 5005 6ca842f6-6ca842ff call 6ca8e565 5002->5005 5019 6ca842d7-6ca842dc 5004->5019 5005->5013 5020 6ca842de-6ca842e1 5019->5020 5021 6ca842e3-6ca842e7 5019->5021 5020->5005 5021->5005 5022 6ca842e9-6ca842f5 call 6ca87eab 5021->5022 5022->5005
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8Q
                                  • API String ID: 0-4022487301
                                  • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                  • Instruction ID: e1656ff958b610aa8f5a790ac9bae5c9b4375975eaae6192f177b660d8815860
                                  • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                                  • Instruction Fuzzy Hash: E9F0F4369076205BD6315A299D00BCB33ACCF4233CF140B15EA6493ED0EB34D48ECAE1
                                  Function 6CA79050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA791A4
                                  • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA791E4
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Ios_base_dtorstd::ios_base::_
                                  • String ID:
                                  • API String ID: 323602529-0
                                  • Opcode ID: e128b56ff853c317973bb96267342865917f5d923fbbf6f85b91a1e4545573b6
                                  • Instruction ID: 52452de2b25d429988095357695fe209b42dca954b1ba00d79d4a2a2d5e45af0
                                  • Opcode Fuzzy Hash: e128b56ff853c317973bb96267342865917f5d923fbbf6f85b91a1e4545573b6
                                  • Instruction Fuzzy Hash: 8B513575101B00DBD735CF29C985BE2B7F4BB05718F448A1DD4AA4BA91DB30B989CB90
                                  Function 6CA8262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(6CAA9DD0,0000000C), ref: 6CA82642
                                  • ExitThread.KERNEL32 ref: 6CA82649
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ErrorExitLastThread
                                  • String ID:
                                  • API String ID: 1611280651-0
                                  • Opcode ID: 3e7b451876935b86b1fbb7d91207a7cbc0a4f86b5bc1813c15c8c6f9186ce2cd
                                  • Instruction ID: a50073d433739404c38fa279cbacd9301f1e4a99ad91df8933d49890d81f6e01
                                  • Opcode Fuzzy Hash: 3e7b451876935b86b1fbb7d91207a7cbc0a4f86b5bc1813c15c8c6f9186ce2cd
                                  • Instruction Fuzzy Hash: B8F02270A02205AFDB049FB0C90CEAE7B34FF01204F244609E001A7B90CF3598C9CBA0
                                  Function 6CA8E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: __wsopen_s
                                  • String ID:
                                  • API String ID: 3347428461-0
                                  • Opcode ID: 14201c3f69b14582c110f6e9d5c03596702db4d0562fab9ea7b873edb1667360
                                  • Instruction ID: f73226f65f4f6094791a5bd00ca5192f865a8410b71bf6bbd271ee2a79c3c466
                                  • Opcode Fuzzy Hash: 14201c3f69b14582c110f6e9d5c03596702db4d0562fab9ea7b873edb1667360
                                  • Instruction Fuzzy Hash: 96113675A0420AAFCF05CF58E94999F7BF8EF49308F1444A9F809AB311D670E915CBA5
                                  Function 6CA976EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: _free
                                  • String ID:
                                  • API String ID: 269201875-0
                                  • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                  • Instruction ID: 714619dfb6ca2215aac3c8c9392fa2b00ae1a3011755c9621c60ef8a5cdb76f6
                                  • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                                  • Instruction Fuzzy Hash: F1014F72C11159BFCF019FA88D01AEE7FF5AF08314F144165FD24E2250E7318AA8DBA1
                                  Function 6CA97B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • CreateFileW.KERNEL32(00000000,00000000,?,6CA97805,?,?,00000000,?,6CA97805,00000000,0000000C), ref: 6CA97B64
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID:
                                  • API String ID: 823142352-0
                                  • Opcode ID: d735b56b1ce41fe0eb7d1160ecdd8fec9334d223c1d669ca01859aede449ecdf
                                  • Instruction ID: a37ae7630f2b6f08de7fb2a0bf2edd0645652e28c5408deb659e36e8dfa83d0b
                                  • Opcode Fuzzy Hash: d735b56b1ce41fe0eb7d1160ecdd8fec9334d223c1d669ca01859aede449ecdf
                                  • Instruction Fuzzy Hash: 14D06C3210024EBBDF028E84DC06EDA3BAAFB48715F018000BA1896020C732E862AB90
                                  Function 6C9483A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                  • Instruction ID: bcd64aef442310398d65da5838e52ce8cf625af1b551a1eb17cfca660e11fcfc
                                  • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                                  • Instruction Fuzzy Hash:

                                  Non-executed Functions

                                  Function 6CA74860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: _strlen
                                  • String ID: C
                                  • API String ID: 4218353326-4157497815
                                  • Opcode ID: 7adb53819277db4ea3a70545f1355407a13be0ea6f7cd19166943fb510291e9b
                                  • Instruction ID: 2042f2a0862f9d1bfb83f2ab8006016b276ece23289374e9a18da5e6b12f89ce
                                  • Opcode Fuzzy Hash: 7adb53819277db4ea3a70545f1355407a13be0ea6f7cd19166943fb510291e9b
                                  • Instruction Fuzzy Hash: 3873F375644B018FC738CF29C890A96B7F2BF8531871D8B2DC0A787A55EB34B58ACB50
                                  Function 6CA79450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 6CA7945A
                                  • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CA79466
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CA79474
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CA7949B
                                  • NtInitiatePowerAction.NTDLL ref: 6CA794AF
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                                  • String ID: SeShutdownPrivilege
                                  • API String ID: 3256374457-3733053543
                                  • Opcode ID: b5693394ab7b76db89e9f30448426b9046fa927212114a8702bfc0384b875576
                                  • Instruction ID: 50d9636e47676a41974f95f2f7f4215638050e3de1b850050c57e49e3a8868ce
                                  • Opcode Fuzzy Hash: b5693394ab7b76db89e9f30448426b9046fa927212114a8702bfc0384b875576
                                  • Instruction Fuzzy Hash: 49F03070645314ABEA42AF28CD0EB5A7BB8EB45701F004558FD85AB1D1D7F0A9948BA2
                                  Function 6C8F1950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \j`7$\j`7$j
                                  • API String ID: 0-3644614255
                                  • Opcode ID: e51bf9cf74aa08bcc7a0d296b662f9df7cc634143aedfcae6bfe88755a2e9e2c
                                  • Instruction ID: d128f6473262277bb5b55cbe2e0c767854bb0b5d5c59faba1d466ee3b5f59eb2
                                  • Opcode Fuzzy Hash: e51bf9cf74aa08bcc7a0d296b662f9df7cc634143aedfcae6bfe88755a2e9e2c
                                  • Instruction Fuzzy Hash: B64234B46093828FCB24CF68C58065ABBE1ABD9394F544E1EE4E5C7761D334E846CB63
                                  Function 6CAD9CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CAD9CE5
                                    • Part of subcall function 6CAAFC2A: __EH_prolog.LIBCMT ref: 6CAAFC2F
                                    • Part of subcall function 6CAB16A6: __EH_prolog.LIBCMT ref: 6CAB16AB
                                    • Part of subcall function 6CAD9A0E: __EH_prolog.LIBCMT ref: 6CAD9A13
                                    • Part of subcall function 6CAD9837: __EH_prolog.LIBCMT ref: 6CAD983C
                                    • Part of subcall function 6CADD143: __EH_prolog.LIBCMT ref: 6CADD148
                                    • Part of subcall function 6CADD143: ctype.LIBCPMT ref: 6CADD16C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog$ctype
                                  • String ID:
                                  • API String ID: 1039218491-3916222277
                                  • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                  • Instruction ID: 06deca672059c81c57387d23e290ba1d52f8f86e809505fc57761060ac4fed28
                                  • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                                  • Instruction Fuzzy Hash: AC039A30805288DFDF11DBA4CA54BDCBBB1AF15308F258099E44967A91DB34AFCEDB61
                                  Function 6CA83871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6CA83969
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6CA83973
                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6CA83980
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                  • String ID:
                                  • API String ID: 3906539128-0
                                  • Opcode ID: 04ff5e41e3b701afa2e8f38149c97a91c71f0db2a9100153389d186c8a4f4cf5
                                  • Instruction ID: 5679e51ecb08de1178078e6ff3cb378763c5fbe79504f2fe6faeb591ec3ced51
                                  • Opcode Fuzzy Hash: 04ff5e41e3b701afa2e8f38149c97a91c71f0db2a9100153389d186c8a4f4cf5
                                  • Instruction Fuzzy Hash: 2C3195749022199BCB61DF64D9887CDBBB8BF08314F5045DAE41DA7250E7709B858F54
                                  Function 6CA8286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,6CA82925,?,?,?,?), ref: 6CA8288F
                                  • TerminateProcess.KERNEL32(00000000,?,6CA82925,?,?,?,?), ref: 6CA82896
                                  • ExitProcess.KERNEL32 ref: 6CA828A8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Process$CurrentExitTerminate
                                  • String ID:
                                  • API String ID: 1703294689-0
                                  • Opcode ID: bba2071c32a613130ae4fe696b067a23f422b079c8f4600a833b54448d13d37c
                                  • Instruction ID: b9a350f609359cdad2b6390921166f048d916e616e4d37fcbb53ff61489f9576
                                  • Opcode Fuzzy Hash: bba2071c32a613130ae4fe696b067a23f422b079c8f4600a833b54448d13d37c
                                  • Instruction Fuzzy Hash: F8E08C3164220AAFCF056F90D90CAAE3F78FF45745F548524F809C6620CB36E8C2CB80
                                  Function 6CAABEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: x=J
                                  • API String ID: 3519838083-1497497802
                                  • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                  • Instruction ID: a3919f088c8870a3d1fc98c0c897b0ad94959e319712014ca7da8a56b56e4565
                                  • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                                  • Instruction Fuzzy Hash: B591F031D002099BEF04EFE9D990AEDB7B1AF1530CF28816AD45167A51DB3299CFCB90
                                  Function 6CA7A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA7AFA0
                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CA7B7C3
                                    • Part of subcall function 6CA7CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA7B7AC,00000000,?,?,?,6CA7B7AC,?,6CAA853C), ref: 6CA7CAC9
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                                  • String ID:
                                  • API String ID: 915016180-0
                                  • Opcode ID: 80ae09b1723f224ec4f25feabca6dccf25010df00f9805d6ede33cc43f9262d8
                                  • Instruction ID: ef6406e34ee387c2316afa0c7deb7fbc3223dc8ab132b093e40f28d2f3eb295f
                                  • Opcode Fuzzy Hash: 80ae09b1723f224ec4f25feabca6dccf25010df00f9805d6ede33cc43f9262d8
                                  • Instruction Fuzzy Hash: FDB1CEB5E002199FDF25CF65D88569EBBB1FB49318F24822AD819E7780D3349694CFB0
                                  Function 6CAAB972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @4J$DsL
                                  • API String ID: 0-2004129199
                                  • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                  • Instruction ID: d7798aa791dd14b0f79ef6811c53331ac5a0cb8d7851c201ee97d145508e4a17
                                  • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                                  • Instruction Fuzzy Hash: B6219E37AA48564BD74CCA28EC33EB92680E744305B88527EE94BCB3D1DF6D8800DA48
                                  Function 6CAC840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CAC840F
                                    • Part of subcall function 6CAC9137: __EH_prolog.LIBCMT ref: 6CAC913C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                  • Instruction ID: 4e0ccad954a262fa1246d2364c15381f8ed83a245595ac913b4cb74b3a1c835d
                                  • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                                  • Instruction Fuzzy Hash: 8B627C71E05259CFDF15CFA8C994BEEBBB5BF04308F14405AE815AB680D7749A88CF92
                                  Function 6CB20AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: YA1
                                  • API String ID: 0-613462611
                                  • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                  • Instruction ID: 316a12766d98884b9ba6d8ce23304db95b251d35359a63ce3017631f57cf97bf
                                  • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                                  • Instruction Fuzzy Hash: 4142C4706093C18FD315CF28D4A06AABBE2FFD9308F18496DE8D98B741D675D946CB42
                                  Function 6CAB3BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: __aullrem
                                  • String ID:
                                  • API String ID: 3758378126-0
                                  • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                  • Instruction ID: 86b981ca8f417addff99b1f452cddcae0b1775d232e57a885db39cf7a45157bd
                                  • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                                  • Instruction Fuzzy Hash: AB51EA71A092859BE710CF5EC4C02EDFBF6EF7A214F18C45DE8C897242D27A599AC760
                                  Function 6CB2CE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                  • Instruction ID: 4997e0d0e42c549eef9faf913eab0f4541453aaf1e06e2b07ed4ada524b4ba47
                                  • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                                  • Instruction Fuzzy Hash: F40269316083808BD725CF28D5907ABBBE2AFC9318F144A2DE49997B51C778D949CB83
                                  Function 6CAAF7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (SL
                                  • API String ID: 0-669240678
                                  • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                  • Instruction ID: d53912a03be49b770a5cbde308a22ace91425628801fe872c50afece738e916e
                                  • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                                  • Instruction Fuzzy Hash: 8F519473E208314AD78CCE24DC2177572D2E784310F8BC1B99D4BAB6E6DD78989187C4
                                  Function 6CB87A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: B
                                  • API String ID: 0-1255198513
                                  • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                  • Instruction ID: 57150e40dfbf2db6e81c6040b7c9ed7fd4a7edc4cde98961458cd21b9ee5f14d
                                  • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                                  • Instruction Fuzzy Hash: 463124315087518BD314DF28D884AABB3E2FBC4325F60CA3ED89ACBA94E7745815CF41
                                  Function 6CB23020 Relevance: .8, Instructions: 762COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                  • Instruction ID: c52b93be05620dfbba193562c7a513c8c65242157b3837aa1ac39449472e0c53
                                  • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                                  • Instruction Fuzzy Hash: E9525F31208B858BD719CF29C5906AAB7E6FF95308F144A2DD4DAC7B41DB78F849CB41
                                  Function 6CB3D930 Relevance: .7, Instructions: 740COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                  • Instruction ID: c81e5454b1529534a2c0b5d98c201e6b9eff603af84e5bf8f290e464dc9af4ab
                                  • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                                  • Instruction Fuzzy Hash: 816202B5A183A48FCB14CF29D48061EBBE5FFC8744F149A2EE89987715D770E845CB82
                                  Function 6CB26D50 Relevance: .5, Instructions: 547COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                  • Instruction ID: 77cb4f5baebc60fe17547f5f603360eb88aa095929c94c6ab76a0fe8766c645c
                                  • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                                  • Instruction Fuzzy Hash: 7412C0712093818FC718CF28C59066AFBE2FFC9304F54492DE89A97B41DB79E849CB56
                                  Function 6CB37AA0 Relevance: .5, Instructions: 474COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                  • Instruction ID: 455e6e5247203e1967b61b526259d4d5cede809db47006ee2e3e7494f0e423e8
                                  • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                                  • Instruction Fuzzy Hash: 20021B31A083B1CBC319CE2CC590259BBF2FBC4355F151B2EE49AE7A94D7B49944CB92
                                  Function 6CB22A50 Relevance: .5, Instructions: 453COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                  • Instruction ID: d61f7b67955947cc1dd56ac461726fb2d121b04c1e6c7c0c26c7c9ff4ac61941
                                  • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                                  • Instruction Fuzzy Hash: 17F113326042C98BEB24CE28D8547EEB7E2FBC5324F54453DD889CBB40DB39954AC792
                                  Function 6CB325C0 Relevance: .3, Instructions: 333COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                  • Instruction ID: c65d0af5c4d1f99b86783e412befe7044f183e6055d725b54d1eaca3f3515baf
                                  • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                                  • Instruction Fuzzy Hash: AED100715047668FD718CF1CC498236BBE1FF85304F054A7DDAAA8B38AD7349905CB92
                                  Function 6CBC4F0A Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                  • Instruction ID: 07b3c1f68a1772d89506214a78814b37bdb2cb3ceaa304b338e684f47cfddfda
                                  • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                                  • Instruction Fuzzy Hash: 6DB1B7366087428FD318DE7DD8409BB73A2EBC1320F54863DE196C79C4EB35992A8B85
                                  Function 6CB25580 Relevance: .3, Instructions: 316COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                  • Instruction ID: cd9f13b2d90b1555b8588c66cf811540bea74205f27ec542dfee252988482a69
                                  • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                                  • Instruction Fuzzy Hash: 66C1C7352047818BC719CF39D0A06A7BBE2EFD9314F148A6DC4CE4BB59DA74A80ECB55
                                  Function 6CB21810 Relevance: .3, Instructions: 296COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                  • Instruction ID: e78682e7a0623141e0c430406c530b3e0aa18365d8c9e6f153c2766ab4d453ff
                                  • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                                  • Instruction Fuzzy Hash: C9B1E3313047854BD324DF79C894BEAB7E1EF85308F04492DD5AE87B51EF39A9098792
                                  Function 6CB24AA0 Relevance: .3, Instructions: 291COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                  • Instruction ID: 3edb30b29e721ec0d5d1a71c2bfc93af78cca6788fd53dd3b7c45bb632e9ee4b
                                  • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                                  • Instruction Fuzzy Hash: 74B19D756087428BC304DF29C8806ABF7E2FFC8304F14892DE49987B15E775A95ACB96
                                  Function 6CB2C9F0 Relevance: .3, Instructions: 287COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                  • Instruction ID: dc783761863ee31d5d20a9d4bfcdba581aa2a5a5e48914716b361c12dddc6022
                                  • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                                  • Instruction Fuzzy Hash: 0DA1057160C3818FE315DF2DC4906AABBE1EBD5348F144A2DE4DA87740D735E94ACB82
                                  Function 6CB2C6E0 Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                  • Instruction ID: be687a4199a4f338f1d4743bb85842a1293ae3171a551c5475f49f7d66947096
                                  • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                                  • Instruction Fuzzy Hash: B581C035A047418FD320DF29C0802A6B7E1FF99714F28CAADC5D99B711E776E946CB81
                                  Function 6CBE3881 Relevance: .2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                  • Instruction ID: 9d613a561912217fe0f797ac26376fc46f0120fc8afdcc9dd1e72aead03b59fe
                                  • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                                  • Instruction Fuzzy Hash: 1051A9366126124BC70CDA3CD8619E73392EBC6370B08C73EE156C79D4EB7A940BC600
                                  Function 6CAC3B66 Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                  • Instruction ID: 061365f192640bef53264b7b5001647582d6196684f736cc51610cac0a65a7b3
                                  • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                                  • Instruction Fuzzy Hash: 2D51CD72F016099FDB08CF98DD916EDBBF2EB88308F248469D152E7381D7749A85CB81
                                  Function 6CC4B06F Relevance: .2, Instructions: 155COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                  • Instruction ID: e2cfacaea58d1cfa2130fafe761630c19d1910c1a50292ce9f7dc8808b67fb80
                                  • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                                  • Instruction Fuzzy Hash: 2E51363550C7468BC314DF6CE8409EAB3A1AFC5320F618B3EE495CB8D1EB75552ACB46
                                  Function 6CAC5EC9 Relevance: .1, Instructions: 136COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                  • Instruction ID: 7cac8aa86f4905894e1e0241faf496425f27711247f19a101cede946aced4891
                                  • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                                  • Instruction Fuzzy Hash: 5B3114277A440103C70CCD3BCC1279FA1675BD462A75ECF396C05CEF55D52CC8525545
                                  Function 6CBFCB30 Relevance: .1, Instructions: 118COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de8734e84ab66d6a12bbdd869bc6bfe792962b681530571623729f73bd36a9f7
                                  • Instruction ID: 9390228ca66011e4a9595e12c204dd8f7d46aa517e795ff643c4945bf6140567
                                  • Opcode Fuzzy Hash: de8734e84ab66d6a12bbdd869bc6bfe792962b681530571623729f73bd36a9f7
                                  • Instruction Fuzzy Hash: C041AD72A487168FC304DE58EC804FBB3A6EFC8310F904B3DA865871D5D771691AC790
                                  Function 6CC58D12 Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                  • Instruction ID: 285f599bcd70399d3506b6ec70c31b2762e6519b550965c0e3124c6845b173fe
                                  • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                                  • Instruction Fuzzy Hash: C5317A31A047128BD729DA39D4510ABB3E3EFC5318B59CB3DC4568B589EB76601FCB82
                                  Function 6CB4C700 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                  • Instruction ID: 792cc59ed3bdd9081a881da2b43b5e6e55f4f9080e356fbf55f1f080edf010d5
                                  • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                                  • Instruction Fuzzy Hash: 0F219077320A0647E74C8A38D83737532D0A705318F98A22DEA6BCE2C2D73AC457C385
                                  Function 6CA8D456 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d00e3a9832e635b5b5c1675a163d6221048642855c41e442e5589242ea55694e
                                  • Instruction ID: f1736e27bc1fe3a76b13393f12a6bc8b78360f1ff3c00171c4b7e96a91e28391
                                  • Opcode Fuzzy Hash: d00e3a9832e635b5b5c1675a163d6221048642855c41e442e5589242ea55694e
                                  • Instruction Fuzzy Hash: 4EF0E531E12220EBCB12DB4CC401B8973BCEB05BA8F154097E401EB640C3B0ED80C7D0
                                  Function 6CA8D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                  • Instruction ID: 6b7cf5d0370f25c303cbee797152ca4c55d704db7a10f985cdedb2436fdcda7b
                                  • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                                  • Instruction Fuzzy Hash: DFE08C32913238EBCB10CB88CA04D8AF3FCEB45B04B1104A6F506D3640C274EE84C7D0
                                  Function 6CB4A720 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                  • Instruction ID: 3ddec3b7c801794c0c583e6adefcf7e01439cbd43610ca6e66ad176d6313d0e7
                                  • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                                  • Instruction Fuzzy Hash: 7FC080A311C10017C312E92594C079AF6737360330F22CC3D9052E7E43C314C0648511
                                  Function 6CAE1B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                                  • API String ID: 3519838083-609671
                                  • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                  • Instruction ID: a99fdb441f437553471d9dfb82d9a53054d9d2b53f244abeb506ca09ad4e159a
                                  • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                                  • Instruction Fuzzy Hash: B1D1C331A0421A9FDF00CFA4DA90BFDB7B5FF09308F24451AE155A3A51DB71E989DBA0
                                  Function 6CAC9798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: __aulldiv$H_prolog
                                  • String ID: >WJ$x$x
                                  • API String ID: 2300968129-3162267903
                                  • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                  • Instruction ID: f1f45374d20b3a394a3f2c94bfe99f08ecd660dc36cb95c764c0fa70c5cc061d
                                  • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                                  • Instruction Fuzzy Hash: 61127D71A00219EFDF10DFA5CA80AEDBBB5FF4831CF248169E819AB650D7319989CF51
                                  Function 6CA7D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 6CA7D1F7
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 6CA7D1FF
                                  • _ValidateLocalCookies.LIBCMT ref: 6CA7D288
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 6CA7D2B3
                                  • _ValidateLocalCookies.LIBCMT ref: 6CA7D308
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 2ce8e886481945f4fcd2ed086672abbcbc64a4b9a393e9a4759c11e42b77585b
                                  • Instruction ID: c0abdfbd98f8115373b7c570899c664c14221eac7d6f4447a5cd121da4052f7e
                                  • Opcode Fuzzy Hash: 2ce8e886481945f4fcd2ed086672abbcbc64a4b9a393e9a4759c11e42b77585b
                                  • Instruction Fuzzy Hash: 7141B738E012189BCF10CF68C944ADE7BF5BF45328F148155E824ABB51D731DA9ACBE0
                                  Function 6CA8A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: api-ms-$ext-ms-
                                  • API String ID: 0-537541572
                                  • Opcode ID: 8ab6e96e847983fd94738c17a1478479b42a3a4ee90de2cc66393739c81e90a9
                                  • Instruction ID: b6f964de860a30ee80d89a35ac31f74e93d3a9f9c647c535f5b2470a1231aa37
                                  • Opcode Fuzzy Hash: 8ab6e96e847983fd94738c17a1478479b42a3a4ee90de2cc66393739c81e90a9
                                  • Instruction Fuzzy Hash: FC21EE71F07211FBDB118A699C44A9B77B5AF02768F190630E955E76CCD730DD82C6E0
                                  Function 6CA8F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetConsoleCP.KERNEL32(?,6CA8E7C0,?), ref: 6CA8F5E9
                                  • __fassign.LIBCMT ref: 6CA8F7C8
                                  • __fassign.LIBCMT ref: 6CA8F7E5
                                  • WriteFile.KERNEL32(?,6CA991A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA8F82D
                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CA8F86D
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA8F919
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: FileWrite__fassign$ConsoleErrorLast
                                  • String ID:
                                  • API String ID: 4031098158-0
                                  • Opcode ID: 7513b20735aefe54406cb1b818b3f451b6545c674b53ef65c5c82d6703317761
                                  • Instruction ID: 220713085ba90984e43e47be2461477c1c48d4e3849abe49726edb4a865b850d
                                  • Opcode Fuzzy Hash: 7513b20735aefe54406cb1b818b3f451b6545c674b53ef65c5c82d6703317761
                                  • Instruction Fuzzy Hash: 30D1BC71D022599FDF11CFE8C9809EDBBB5BF09314F28016EE855BB601D7319A86CB20
                                  Function 6C942F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C942F95
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6C942FAF
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C942FD0
                                  • __Getctype.LIBCPMT ref: 6C943084
                                  • std::_Facet_Register.LIBCPMT ref: 6C94309C
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6C9430B7
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                                  • String ID:
                                  • API String ID: 1102183713-0
                                  • Opcode ID: 19dd6e731c9d558087a62e8ac923e1bc8167097bc842b642bc5e2684ee6e4493
                                  • Instruction ID: 7ef9385dd2ec8d27e4509f4bf3ba2c392d324563769978355e0c7294effb63e6
                                  • Opcode Fuzzy Hash: 19dd6e731c9d558087a62e8ac923e1bc8167097bc842b642bc5e2684ee6e4493
                                  • Instruction Fuzzy Hash: 0E4188B1E00618CFCB15CFA4C854B9EBBB5FF54719F148228D859ABB50D774E948CBA0
                                  Function 6CAB7FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: __aulldiv$__aullrem
                                  • String ID:
                                  • API String ID: 2022606265-0
                                  • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                  • Instruction ID: 5aacb67a86cc32580590d3bf4e7db20d11425b0217ab363aeae10da24e779702
                                  • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                                  • Instruction Fuzzy Hash: 2921BF3094525AFEEF108E998C40DDF7E7DEB417E9F208236B52071A94D2718D90EA61
                                  Function 6CABD6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CABD6F1
                                    • Part of subcall function 6CACC173: __EH_prolog.LIBCMT ref: 6CACC178
                                  • __EH_prolog.LIBCMT ref: 6CABD8F9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: IJ$WIJ$J
                                  • API String ID: 3519838083-740443243
                                  • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                  • Instruction ID: 931f9a32dea822784d3b082f2a095ee88952af994fafee4511a6fa9cfbdb94ee
                                  • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                                  • Instruction Fuzzy Hash: 5971BB30D00254DFDB14DFA4C584BEDBBB8BF14308F1480A9E8596BB95DB74AA8DCB91
                                  Function 6CA990FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 6CA991CD
                                  • _free.LIBCMT ref: 6CA991F6
                                  • SetEndOfFile.KERNEL32(00000000,6CA97DDC,00000000,6CA8E7C0,?,?,?,?,?,?,?,6CA97DDC,6CA8E7C0,00000000), ref: 6CA99228
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA97DDC,6CA8E7C0,00000000,?,?,?,?,00000000,?), ref: 6CA99244
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: _free$ErrorFileLast
                                  • String ID: 8Q
                                  • API String ID: 1547350101-4022487301
                                  • Opcode ID: d84685b1ee5016a23d5a57d2a3889d2d10ae5bcaf45193447b7664ca48ebdb68
                                  • Instruction ID: be4565d9c1f40dd9dbc77799a67211d530bf5545bc150a844a850a302b83f44d
                                  • Opcode Fuzzy Hash: d84685b1ee5016a23d5a57d2a3889d2d10ae5bcaf45193447b7664ca48ebdb68
                                  • Instruction Fuzzy Hash: B6418432912605BFDB119AB88F46BCE77F5AF45324F280514E92CA7B90EB31D8CD4762
                                  Function 6CAD1418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CAD141D
                                    • Part of subcall function 6CAD1E40: __EH_prolog.LIBCMT ref: 6CAD1E45
                                    • Part of subcall function 6CAD18EB: __EH_prolog.LIBCMT ref: 6CAD18F0
                                    • Part of subcall function 6CAD1593: __EH_prolog.LIBCMT ref: 6CAD1598
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: &qB$0aJ$A0$XqB
                                  • API String ID: 3519838083-1326096578
                                  • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                  • Instruction ID: 1eaacaa15940ced89001568c8b17ec117fa286d2ba42da1b6b4e7e1f2bd8c92f
                                  • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                                  • Instruction Fuzzy Hash: 77218871D01258AECF08DBE4DA959EDBBB5AF25318F204069D81237780DB785E8DCB61
                                  Function 6CAD1234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: J$0J$DJ$`J
                                  • API String ID: 3519838083-2453737217
                                  • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                  • Instruction ID: 1403d5ec3a8f4b05cdc78eccc676d3fab587e0d56c3181ae149efddfbeb99576
                                  • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                                  • Instruction Fuzzy Hash: E611F2B0900BA4CEC720CF5AC55029AFBE4BFA5708B10C91FC4A687B10C7F8A549CB99
                                  Function 6CA8281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CA828A4,?,?,6CA82925,?,?,?), ref: 6CA8282F
                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CA82842
                                  • FreeLibrary.KERNEL32(00000000,?,?,6CA828A4,?,?,6CA82925,?,?,?), ref: 6CA82865
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: AddressFreeHandleLibraryModuleProc
                                  • String ID: CorExitProcess$mscoree.dll
                                  • API String ID: 4061214504-1276376045
                                  • Opcode ID: 84fb944e916db3a2cc6cfc5ff6f8dc31cf5371afb5a2076f9fe06ee133094e09
                                  • Instruction ID: a6dcf694b8a75ba479bc7ef1fd531b8a69e7375fbf17a4bf60ee17b6c4d99b96
                                  • Opcode Fuzzy Hash: 84fb944e916db3a2cc6cfc5ff6f8dc31cf5371afb5a2076f9fe06ee133094e09
                                  • Instruction Fuzzy Hash: 41F05831A1261AFBDF019F90D90DBAEBA78BB0135AF114164A800A2460CF308A82DBA0
                                  Function 6CA7AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog3.LIBCMT ref: 6CA7AA1E
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 6CA7AA29
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA7AA97
                                    • Part of subcall function 6CA7A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA7A938
                                  • std::locale::_Setgloballocale.LIBCPMT ref: 6CA7AA44
                                  • _Yarn.LIBCPMT ref: 6CA7AA5A
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                  • String ID:
                                  • API String ID: 1088826258-0
                                  • Opcode ID: bde0432e22688eb466bd0884905af1c3e80ba0c344130ed7be06d5b5b29af897
                                  • Instruction ID: 0d33529a07b6acaa81683667a1b7ff029a50f1355b69f01591fd157e9ef3b439
                                  • Opcode Fuzzy Hash: bde0432e22688eb466bd0884905af1c3e80ba0c344130ed7be06d5b5b29af897
                                  • Instruction Fuzzy Hash: 6A01BC79B00220AFDB16DB20CA549BD3BB6FF95204B191049D80117B80CF38AE8ACBA1
                                  Function 6CAF9E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: $!$@
                                  • API String ID: 3519838083-2517134481
                                  • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                  • Instruction ID: 7705a7ab0b7f010afb6a13835e3062864b82e598678a4eb43715d944919690fd
                                  • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                                  • Instruction Fuzzy Hash: 3B126C74E05249DFCB05CFA4C590ADDBBB6BF08308F188169F855ABB51D731AD8ACB60
                                  Function 6CAC5B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog__aulldiv
                                  • String ID: $SJ
                                  • API String ID: 4125985754-3948962906
                                  • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                  • Instruction ID: a5b485110c8a2d9e26124e04b39b48e44b243aa94df2c9a44d89cb5b100363f2
                                  • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                                  • Instruction Fuzzy Hash: 6CB14BB1E05309DFCB14CF99C9809EEBBB1FF48318B64852EE416A7B50D730AA85DB51
                                  Function 6C942020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 6CA7AA17: __EH_prolog3.LIBCMT ref: 6CA7AA1E
                                    • Part of subcall function 6CA7AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6CA7AA29
                                    • Part of subcall function 6CA7AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6CA7AA44
                                    • Part of subcall function 6CA7AA17: _Yarn.LIBCPMT ref: 6CA7AA5A
                                    • Part of subcall function 6CA7AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA7AA97
                                    • Part of subcall function 6C942F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C942F95
                                    • Part of subcall function 6C942F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C942FAF
                                    • Part of subcall function 6C942F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C942FD0
                                    • Part of subcall function 6C942F60: __Getctype.LIBCPMT ref: 6C943084
                                    • Part of subcall function 6C942F60: std::_Facet_Register.LIBCPMT ref: 6C94309C
                                    • Part of subcall function 6C942F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C9430B7
                                  • std::ios_base::_Addstd.LIBCPMT ref: 6C94211B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 3332196525-1866435925
                                  • Opcode ID: b0cfc4bda64c9f1c9bdd215da98649a747585d545c64b081306546f1fa11fabf
                                  • Instruction ID: b0726f7f4863e7d5334f685f8bd614ae666f58bb1737a8311f7673561a38994c
                                  • Opcode Fuzzy Hash: b0cfc4bda64c9f1c9bdd215da98649a747585d545c64b081306546f1fa11fabf
                                  • Instruction Fuzzy Hash: 8741D1B0E007099FEB04CF64C8457AABBB5FF48318F108268E819AB781E775D985CF90
                                  Function 6CAC91D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: $CK$CK
                                  • API String ID: 3519838083-2957773085
                                  • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                  • Instruction ID: 66527c73577f56d03d6eb2eb37e2b445d238e3a10bfaf273d27ad16bdd24d743
                                  • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                                  • Instruction Fuzzy Hash: 82219271F01205CBCB04DFB9C6801EEF7B6BB95318F14462AC462A3B91C7745A86CA92
                                  Function 6CAE0584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: 0$LrJ$x
                                  • API String ID: 3519838083-658305261
                                  • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                  • Instruction ID: 1e77c2a9cf023c780ddaf80fb79bb59ebe912e2c7603bf4386dca375f65d3769
                                  • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                                  • Instruction Fuzzy Hash: 87215B32D011199BDF04DBD8CA90BEEB7B5EF98308F20005AD40177640DB765E8DDBA1
                                  Function 6CAD7EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CAD7ECC
                                    • Part of subcall function 6CAC258A: __EH_prolog.LIBCMT ref: 6CAC258F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: :hJ$dJ$xJ
                                  • API String ID: 3519838083-2437443688
                                  • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                  • Instruction ID: 3da74138249e9433609fc0c66857c69d281c41ed33ab05eaf2ec0dd1768ecb00
                                  • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                                  • Instruction Fuzzy Hash: 8021C9B0801B40CFC760CF6AC24429ABBF4BF29708B00C95EC4AA97B11E7B8A54DCF55
                                  Function 6CA8E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CA8E7C0,6C941DEA,00008000,6CA8E7C0,?,?,?,6CA8E36F,6CA8E7C0,?,00000000,6C941DEA), ref: 6CA8E4B9
                                  • GetLastError.KERNEL32(?,?,?,6CA8E36F,6CA8E7C0,?,00000000,6C941DEA,?,6CA97D8E,6CA8E7C0,000000FF,000000FF,00000002,00008000,6CA8E7C0), ref: 6CA8E4C3
                                  • __dosmaperr.LIBCMT ref: 6CA8E4CA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastPointer__dosmaperr
                                  • String ID: 8Q
                                  • API String ID: 2336955059-4022487301
                                  • Opcode ID: 846b3163449ab3bde24354135e2433217967ebcf83d2a25e9c0fc9abb2c03426
                                  • Instruction ID: f35478ddfcca79f1e7cdea0f0a89d084920ff3c66631a21eb64e6c069910bf2d
                                  • Opcode Fuzzy Hash: 846b3163449ab3bde24354135e2433217967ebcf83d2a25e9c0fc9abb2c03426
                                  • Instruction Fuzzy Hash: 9E012836711515EBCB058F99CC04C9E3B3DEB86334B284208E825DB680EA32D99587A0
                                  Function 6CACED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <J$DJ$HJ$TJ$]
                                  • API String ID: 0-686860805
                                  • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                  • Instruction ID: f1a162fc561164dd1139fbdf02a4305df0b914ac7066b357a6a140375828460c
                                  • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                                  • Instruction Fuzzy Hash: 0D41C370E05289BFCF14DBE0D5918EEB774AF11308B24816DD46267A50EB35A6CDCB82
                                  Function 6CAC9331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID:
                                  • API String ID: 3732870572-0
                                  • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                  • Instruction ID: 5b5f3db1663d53fef8aa068d4a08fe72672050983108fc67bb4bda502c0748bb
                                  • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                                  • Instruction Fuzzy Hash: 57119076304244BFEB214EA4CD84EAF7BBDEBC9748F04842DB55156B90C771AC48A761
                                  Function 6CA880A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,6CA82654,6CAA9DD0,0000000C), ref: 6CA880A7
                                  • _free.LIBCMT ref: 6CA88104
                                  • _free.LIBCMT ref: 6CA8813A
                                  • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6CA82654,6CAA9DD0,0000000C), ref: 6CA88145
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ErrorLast_free
                                  • String ID:
                                  • API String ID: 2283115069-0
                                  • Opcode ID: b9574524fb5ab745176518d70917ae98be8e1d5e9c82e88d38992e9da593dc46
                                  • Instruction ID: 6fc29b3a8294957c857e03478801840144cf0b2e0a1d3d8532cbf8c1b01f65ab
                                  • Opcode Fuzzy Hash: b9574524fb5ab745176518d70917ae98be8e1d5e9c82e88d38992e9da593dc46
                                  • Instruction Fuzzy Hash: 3E11CA317476026BDB611A759D84D9B26BBABC277C7250636F524E3AD0EF218C8D4320
                                  Function 6CA995AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • WriteConsoleW.KERNEL32(00000000,?,6CA97DDC,00000000,00000000,?,6CA98241,00000000,00000001,00000000,6CA8E7C0,?,6CA8F976,?,?,6CA8E7C0), ref: 6CA995C1
                                  • GetLastError.KERNEL32(?,6CA98241,00000000,00000001,00000000,6CA8E7C0,?,6CA8F976,?,?,6CA8E7C0,?,6CA8E7C0,?,6CA8F40C,6CA991A6), ref: 6CA995CD
                                    • Part of subcall function 6CA9961E: CloseHandle.KERNEL32(FFFFFFFE,6CA995DD,?,6CA98241,00000000,00000001,00000000,6CA8E7C0,?,6CA8F976,?,?,6CA8E7C0,?,6CA8E7C0), ref: 6CA9962E
                                  • ___initconout.LIBCMT ref: 6CA995DD
                                    • Part of subcall function 6CA995FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CA9959B,6CA9822E,6CA8E7C0,?,6CA8F976,?,?,6CA8E7C0,?), ref: 6CA99612
                                  • WriteConsoleW.KERNEL32(00000000,?,6CA97DDC,00000000,?,6CA98241,00000000,00000001,00000000,6CA8E7C0,?,6CA8F976,?,?,6CA8E7C0,?), ref: 6CA995F2
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                  • String ID:
                                  • API String ID: 2744216297-0
                                  • Opcode ID: 7f99e9258016b14f74d7d768dc27d91a9603adcae40f3269e00e6c42fbe718b5
                                  • Instruction ID: 5e4625d9be10d68d65d80c2fa7ebcc8ac3e7e651ebed436cbde05625980430ad
                                  • Opcode Fuzzy Hash: 7f99e9258016b14f74d7d768dc27d91a9603adcae40f3269e00e6c42fbe718b5
                                  • Instruction Fuzzy Hash: 2DF01236110226BFCF121FE1DD45A8E3F76FB06761F044010FE09D6514DB328864DB91
                                  Function 6CAB1072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CAB1077
                                    • Part of subcall function 6CAB0FF5: __EH_prolog.LIBCMT ref: 6CAB0FFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: :$\
                                  • API String ID: 3519838083-1166558509
                                  • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                  • Instruction ID: 577370916a366138cbe54b909c4e91de9c416561f6a169ec9bf67ef71ae8f8f1
                                  • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                                  • Instruction Fuzzy Hash: 90E1E0709002099ACF11DFA4CA90BFDB7B9AF0531CF144619D9567BA90EB71EACECB50
                                  Function 6CAFD354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog__aullrem
                                  • String ID: d%K
                                  • API String ID: 3415659256-3110269457
                                  • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                  • Instruction ID: 66348546da0d5e3e6d43b2141fd53de0588107a5c8d2d2259734a15115b99727
                                  • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                                  • Instruction Fuzzy Hash: FB81E271E002099FDF12CF94C580BDEB7F5AF4534DF288159E868AB640D771E98ACBA0
                                  Function 6CA86814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog3_
                                  • String ID: 8Q
                                  • API String ID: 2427045233-4022487301
                                  • Opcode ID: 8c0bba38b497f03a4a51f659f3c3fc6fe1facba3ebda2f6831d37f224c7b24b2
                                  • Instruction ID: c39df7130105d69b03083aa00d272d8f2ea545cf78aaa9f31ce051386271999d
                                  • Opcode Fuzzy Hash: 8c0bba38b497f03a4a51f659f3c3fc6fe1facba3ebda2f6831d37f224c7b24b2
                                  • Instruction Fuzzy Hash: 2071D670D5720A9BFF118F95C9406EEB675BF45318F288219E820E7B80DB79C8C5C761
                                  Function 6CAD6C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @$hfJ
                                  • API String ID: 3519838083-1391159562
                                  • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                  • Instruction ID: 6e9f6bb394d89bd73b3e10d4995769a2544385544fb4d08d514d2d859eaebea1
                                  • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                                  • Instruction Fuzzy Hash: 06913770910609DFCB10DF99C9949DEFBB4BF18308F55491EE496E7A90DB70AA88CB10
                                  Function 6CACBC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 6CACBC5D
                                    • Part of subcall function 6CACA61A: __EH_prolog.LIBCMT ref: 6CACA61F
                                    • Part of subcall function 6CACAA2E: __EH_prolog.LIBCMT ref: 6CACAA33
                                    • Part of subcall function 6CACBEA5: __EH_prolog.LIBCMT ref: 6CACBEAA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: WZJ
                                  • API String ID: 3519838083-1089469559
                                  • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                  • Instruction ID: 6ef908cfdbdf033b1628a68b207373703bce82a4d965bfcb0f5d11e948e43c1d
                                  • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                                  • Instruction Fuzzy Hash: ED815831E00158DFCF15DFA8DA90ADDBBB4AF08308F104199E51667790DB31AE8DCBA1
                                  Function 6C9428E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 6C942A76
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: Jbx$Jbx
                                  • API String ID: 4194217158-1161259238
                                  • Opcode ID: 7e7b5e6d113a44a15a0aabb41c00b30dd5d051a08acb93af397d408ed2bd5bbe
                                  • Instruction ID: e7503be6a3065457111250e8e3c88122c42ad7097ae18cdb12292e24e7a4ac7f
                                  • Opcode Fuzzy Hash: 7e7b5e6d113a44a15a0aabb41c00b30dd5d051a08acb93af397d408ed2bd5bbe
                                  • Instruction Fuzzy Hash: D45123B19006049FDB14CF58D9846AEBBB5FF89318F14C56EE849DB740E331D989CBA1
                                  Function 6CAD2F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: <dJ$Q
                                  • API String ID: 3519838083-2252229148
                                  • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                  • Instruction ID: 16fa779557b7176092bc66efc85f37a5ca2a764250561c7c2b8693f2712f7cee
                                  • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                                  • Instruction Fuzzy Hash: 15519D7190524AEFCF00DFD8D8809EDB7B1BF48318F15852EE561ABA50D731AACACB10
                                  Function 6CACE9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: $D^J
                                  • API String ID: 3519838083-3977321784
                                  • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                  • Instruction ID: c4edca335c76adae8b4894ad5fbf9d50158d9472e5a6ad33795b5de52b78a266
                                  • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                                  • Instruction Fuzzy Hash: AF415920B055A86EE7229B6885527E8BBA1AF2720CF1CC158C49347EC1DB6559CFC3D3
                                  Function 6CA905EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CA97DC6), ref: 6CA9070B
                                  • __dosmaperr.LIBCMT ref: 6CA90712
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: ErrorLast__dosmaperr
                                  • String ID: 8Q
                                  • API String ID: 1659562826-4022487301
                                  • Opcode ID: 1558c6911bf3159106dfb6ab454b5e2db990664f6be3166ef6e2c8254333653a
                                  • Instruction ID: d9c6cd8410947609715faaac3e3e61f94cef3395300fab234f68d5150bc82384
                                  • Opcode Fuzzy Hash: 1558c6911bf3159106dfb6ab454b5e2db990664f6be3166ef6e2c8254333653a
                                  • Instruction Fuzzy Hash: 0641CE716242D4AFDB11CF1CC882BE97FF5EF8A394F184159E9808B641D3B19C95CBA0
                                  Function 6CAE812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: X&L$p|J
                                  • API String ID: 3519838083-2944591232
                                  • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                  • Instruction ID: b6864ed5c9169b9933278cabb3122f9c5005672afd99eab2732adae6d2aeedae
                                  • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                                  • Instruction Fuzzy Hash: D4314931685905CBD711AB9CDE01BED7771EB0932CF24012BD520A7EE2CB6189CAEBD4
                                  Function 6CAE7C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: 0|J$`)L
                                  • API String ID: 3519838083-117937767
                                  • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                  • Instruction ID: beb7cc5b2dfccc9624b2e2d0cf001c9c7328247a010738ff73e92173936bd313
                                  • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                                  • Instruction Fuzzy Hash: DE41D331600784EFDB119FA0C5907FEBBE2FF49208F04442EE49A97711CB366989EB91
                                  Function 6CAEACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: __aulldiv
                                  • String ID: 3333
                                  • API String ID: 3732870572-2924271548
                                  • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                  • Instruction ID: 992404498d99fddb48fc0f32b9cb36c89080be5f0dcd5544c1940bc66f68851a
                                  • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                                  • Instruction Fuzzy Hash: 9221B7B09447446FE720CFA98880B5FBEFDEB48715F10C92EA146D3B40D770AD449B65
                                  Function 6CAE3906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @$LuJ
                                  • API String ID: 3519838083-205571748
                                  • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                  • Instruction ID: 5a81cd26fab05db585787248ea3b5ac5d692e53758e6231a195ffba9208931b9
                                  • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                                  • Instruction Fuzzy Hash: 7A016171E06209DACB10DFD984905AEF7B4FF59704F50842EE569F3A51C3349948CB95
                                  Function 6CABF0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: @$xMJ
                                  • API String ID: 3519838083-951924499
                                  • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                  • Instruction ID: 285c27872ed6f45d216d294740b1e7022a2279529985aaf6146fc6827463f8c5
                                  • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                                  • Instruction Fuzzy Hash: 9C117C79E01209DBCF00CFA9D8905AEF7B8FF18308B94C82ED569E7600D3349A45CB95
                                  Function 6CA91418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _free.LIBCMT ref: 6CA91439
                                  • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CA8DD2A,?,00000004,?,4B42FCB6,?,?,6CA82E7C,4B42FCB6,?), ref: 6CA91475
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1816945823.000000006C8F1000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C8F0000, based on PE: true
                                  • Associated: 00000005.00000002.1816927117.000000006C8F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817921729.000000006CA9B000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1819232660.000000006CC67000.00000002.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: AllocHeap_free
                                  • String ID: 8Q
                                  • API String ID: 1080816511-4022487301
                                  • Opcode ID: a9526e0003b49a4b560f0bafdc9e75f7ba875cf575ee015ca933161ab4f77ecb
                                  • Instruction ID: 932ee581b339d9b7989b435c4ef1de89f29d0ec20d6cca719dab26cc5fdc6b4b
                                  • Opcode Fuzzy Hash: a9526e0003b49a4b560f0bafdc9e75f7ba875cf575ee015ca933161ab4f77ecb
                                  • Instruction Fuzzy Hash: E9F02872722111669B111A2A5C01AAB27FC9FC6BBCF198115EA169AA80DB30C4C981A1
                                  Function 6CAE6431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prologctype
                                  • String ID: |zJ
                                  • API String ID: 3037903784-3782439380
                                  • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                  • Instruction ID: 8a5dcebbfd9d42cb9e4107d905c381481511c12782475fd3ffe52065155f7c55
                                  • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                                  • Instruction Fuzzy Hash: 0BE06572A055249BEB149B48DA017DEF3A8FF58718F10441F9512E7B45CBB1A884D6D1
                                  Function 6CADD143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID: H_prologctype
                                  • String ID: <oJ
                                  • API String ID: 3037903784-2791053824
                                  • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                  • Instruction ID: f6b0febe0a63af36b8b722f26245ac0c7dcfc7602a345523974340ebd014be2b
                                  • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                                  • Instruction Fuzzy Hash: A2E06D32E05520ABEB04AF48D910BEEF7B9EF55718F16411EE021A7B51CBB5B844CB94
                                  Function 6CB124AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @ K$DJ$T)K$X/K
                                  • API String ID: 0-3815299647
                                  • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                  • Instruction ID: 476c68cc6c13d7befc39c2159c590fefbb54830a34873ad8077984eb4f76a76f
                                  • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                                  • Instruction Fuzzy Hash: F391CF346083859BDB04EEA4C5987EB73A2EF5230CF104829C8655BF85DB76AD8EC753
                                  Function 6CB07E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.1817981542.000000006CAAB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CAAB000, based on PE: true
                                  • Associated: 00000005.00000002.1818582260.000000006CB76000.00000004.00000001.01000000.00000009.sdmpDownload File
                                  • Associated: 00000005.00000002.1818605084.000000006CB7C000.00000020.00000001.01000000.00000009.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_6c8f0000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: D)K$H)K$P)K$T)K
                                  • API String ID: 0-2262112463
                                  • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                  • Instruction ID: e0adaf2190fc6e7a63d7535ff4685b850e14e7009255a0c2f1883b29ae1611ee
                                  • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                                  • Instruction Fuzzy Hash: A451C530A042899BDF00EFD4DA40ADEBB75FF1531CF10442AE81177A90DBB6A98DCB91

                                  Execution Graph

                                  Execution Coverage:4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0.3%
                                  Total number of Nodes:2000
                                  Total number of Limit Nodes:38
                                  execution_graph 74045 4b144 74046 4b153 74045->74046 74048 4b159 74045->74048 74049 511b4 74046->74049 74050 511c1 74049->74050 74051 511eb 74050->74051 74054 8af27 74050->74054 74061 8ae7c 74050->74061 74051->74048 74059 8af36 74054->74059 74055 8b010 74055->74050 74056 8aeeb 107 API calls 74056->74059 74059->74055 74059->74056 74066 4bd0c 74059->74066 74071 8ad3a 74059->74071 74075 8aebf 107 API calls 74059->74075 74062 8ae86 74061->74062 74065 57140 7 API calls 74062->74065 74890 57190 74062->74890 74063 8aebb 74063->74050 74065->74063 74076 47ca2 74066->74076 74069 4bd3d 74069->74059 74072 8ad44 __EH_prolog 74071->74072 74084 56305 74072->74084 74073 8adbf 74073->74059 74075->74059 74078 47caf 74076->74078 74079 47cdb 74078->74079 74081 47c68 74078->74081 74079->74069 74080 4b8ec GetLastError 74079->74080 74080->74069 74082 47c76 74081->74082 74083 47c79 WriteFile 74081->74083 74082->74083 74083->74078 74085 5630f __EH_prolog 74084->74085 74121 562b9 74085->74121 74087 56427 74090 4965d VariantClear 74087->74090 74089 5644a 74125 4965d 74089->74125 74120 56445 74090->74120 74098 564ca 74104 564da 74098->74104 74098->74120 74289 442e3 CharUpperW 74098->74289 74101 565de 74102 565e7 74101->74102 74103 5669e 74101->74103 74114 565f6 74102->74114 74291 41e0c 74102->74291 74108 56754 74103->74108 74109 566b8 74103->74109 74103->74120 74104->74101 74104->74120 74290 5789c free memmove ctype 74104->74290 74178 55bea 74108->74178 74110 41e0c ctype 2 API calls 74109->74110 74110->74120 74113 5666b 74309 41e40 free 74113->74309 74296 636ea 74114->74296 74115 5665c 74308 431e5 malloc _CxxThrowException free _CxxThrowException 74115->74308 74120->74073 74123 562c9 74121->74123 74310 68fa4 74123->74310 74126 49685 74125->74126 74128 49665 74125->74128 74129 55126 74126->74129 74127 4967e VariantClear 74127->74126 74128->74126 74128->74127 74130 55130 __EH_prolog 74129->74130 74131 551b4 74130->74131 74137 5518e 74130->74137 74372 43097 malloc _CxxThrowException free SysStringLen ctype 74130->74372 74134 4965d VariantClear 74131->74134 74131->74137 74133 4965d VariantClear 74136 5527f 74133->74136 74135 551bc 74134->74135 74135->74137 74138 55206 74135->74138 74139 55289 74135->74139 74136->74120 74171 68b05 74136->74171 74137->74133 74373 43097 malloc _CxxThrowException free SysStringLen ctype 74138->74373 74139->74137 74140 55221 74139->74140 74142 4965d VariantClear 74140->74142 74143 5522d 74142->74143 74143->74136 74144 55351 74143->74144 74374 55459 malloc _CxxThrowException __EH_prolog 74143->74374 74144->74136 74151 553a1 74144->74151 74379 435e7 memmove 74144->74379 74147 552ba 74375 48011 5 API calls ctype 74147->74375 74149 552cf 74162 552fd 74149->74162 74376 4823d 10 API calls 2 library calls 74149->74376 74151->74136 74380 443b7 5 API calls 2 library calls 74151->74380 74153 552e5 74155 42fec 3 API calls 74153->74155 74157 552f5 74155->74157 74156 5540e 74382 5789c free memmove ctype 74156->74382 74377 41e40 free 74157->74377 74161 553df 74161->74156 74163 5541c 74161->74163 74381 442e3 CharUpperW 74161->74381 74378 554a0 free ctype 74162->74378 74164 636ea 5 API calls 74163->74164 74165 55427 74164->74165 74166 42fec 3 API calls 74165->74166 74167 55433 74166->74167 74383 41e40 free 74167->74383 74169 5543b 74384 72db9 free ctype 74169->74384 74172 68b2e 74171->74172 74173 4965d VariantClear 74172->74173 74174 5648a 74173->74174 74174->74120 74175 54d78 74174->74175 74385 69262 74175->74385 74179 55bf4 __EH_prolog 74178->74179 74392 554c0 74179->74392 74182 68b05 VariantClear 74183 55c34 74182->74183 74226 55e17 74183->74226 74407 55630 74183->74407 74186 636ea 5 API calls 74188 55c51 74186->74188 74187 55c60 74428 42f1c 74187->74428 74188->74187 74515 557c1 53 API calls 2 library calls 74188->74515 74191 55c6c 74194 55caa 74191->74194 74516 56217 4 API calls 2 library calls 74191->74516 74193 55c91 74195 42fec 3 API calls 74193->74195 74196 55d49 74194->74196 74518 42e04 74194->74518 74197 55c9e 74195->74197 74198 55d55 74196->74198 74199 55d91 74196->74199 74517 41e40 free 74197->74517 74202 42fec 3 API calls 74198->74202 74206 55da6 74199->74206 74431 558be 74199->74431 74205 55d66 74202->74205 74203 55cd2 74521 41e40 free 74203->74521 74208 55d73 74205->74208 74526 45b2d 11 API calls 2 library calls 74205->74526 74207 42fec 3 API calls 74206->74207 74287 55d8c 74206->74287 74209 55dd1 74207->74209 74208->74206 74211 55d7b 74208->74211 74216 55de7 74209->74216 74228 55e41 74209->74228 74209->74287 74211->74287 74527 57140 74211->74527 74214 55cf5 74214->74196 74222 42fec 3 API calls 74214->74222 74531 56b5e 69 API calls 2 library calls 74216->74531 74217 561fa 74552 41e40 free 74217->74552 74218 55eb0 74223 41e0c ctype 2 API calls 74218->74223 74220 55e01 74224 55e07 74220->74224 74225 55e20 74220->74225 74227 55d0c 74222->74227 74237 55eb7 74223->74237 74532 41e40 free 74224->74532 74233 57140 7 API calls 74225->74233 74225->74287 74226->74120 74522 41089 malloc _CxxThrowException free _CxxThrowException 74227->74522 74228->74218 74534 54115 VariantClear _CxxThrowException __EH_prolog 74228->74534 74232 55e0f 74533 41e40 free 74232->74533 74233->74287 74234 55d16 74236 42f1c 2 API calls 74234->74236 74239 55d25 74236->74239 74504 47c0d 74237->74504 74241 55e6e 74241->74218 74248 55ea5 74241->74248 74249 55ece 74241->74249 74241->74287 74252 42fec 3 API calls 74248->74252 74535 45c7e 11 API calls 2 library calls 74249->74535 74252->74218 74256 55ed8 74257 55f01 74256->74257 74258 55edc 74256->74258 74261 57140 7 API calls 74257->74261 74536 4757d GetLastError 74258->74536 74551 41e40 free 74287->74551 74288 55110 9 API calls 74288->74098 74289->74098 74290->74101 74292 41e15 74291->74292 74293 41e1c malloc 74291->74293 74292->74293 74294 41e3e 74293->74294 74295 41e2a _CxxThrowException 74293->74295 74294->74114 74295->74294 74297 636f4 __EH_prolog 74296->74297 74298 42e04 2 API calls 74297->74298 74300 6370a 74298->74300 74299 63736 74301 42f1c 2 API calls 74299->74301 74300->74299 74888 41089 malloc _CxxThrowException free _CxxThrowException 74300->74888 74889 431e5 malloc _CxxThrowException free _CxxThrowException 74300->74889 74304 63742 74301->74304 74887 41e40 free 74304->74887 74306 56633 74306->74113 74306->74115 74307 41089 malloc _CxxThrowException free _CxxThrowException 74306->74307 74307->74115 74308->74113 74309->74120 74311 68fae __EH_prolog 74310->74311 74344 67ebb 74311->74344 74317 69020 74327 56302 74317->74327 74352 42fec 74317->74352 74320 6904d 74322 69144 74320->74322 74320->74327 74331 69100 74320->74331 74332 690d6 74320->74332 74359 43097 malloc _CxxThrowException free SysStringLen ctype 74320->74359 74329 6917b 74322->74329 74361 42f88 74322->74361 74323 69244 74369 443b7 5 API calls 2 library calls 74323->74369 74324 691b0 74367 68b9c 10 API calls 2 library calls 74324->74367 74327->74087 74327->74089 74327->74120 74329->74323 74329->74324 74330 691c0 74330->74327 74336 42f88 3 API calls 74330->74336 74333 4965d VariantClear 74331->74333 74332->74331 74335 690e7 74332->74335 74360 68f2e 9 API calls 74332->74360 74333->74327 74339 4965d VariantClear 74335->74339 74342 691ff 74336->74342 74338 69112 74338->74331 74340 68b64 VariantClear 74338->74340 74339->74322 74341 69123 74340->74341 74341->74331 74341->74335 74342->74327 74368 450ff free ctype 74342->74368 74345 67ee4 74344->74345 74347 67ec6 74344->74347 74348 68b64 74345->74348 74346 41e40 free ctype 74346->74347 74347->74345 74347->74346 74349 68b05 VariantClear 74348->74349 74350 68b6f 74349->74350 74350->74327 74351 68f2e 9 API calls 74350->74351 74351->74317 74353 42ffc 74352->74353 74354 42ff8 74352->74354 74353->74354 74355 41e0c ctype 2 API calls 74353->74355 74354->74320 74358 68b80 VariantClear 74354->74358 74356 43010 74355->74356 74370 41e40 free 74356->74370 74358->74320 74359->74332 74360->74338 74362 42f9a 74361->74362 74363 42fbe 74362->74363 74364 41e0c ctype 2 API calls 74362->74364 74363->74329 74363->74363 74365 42fb4 74364->74365 74371 41e40 free 74365->74371 74367->74330 74368->74327 74369->74327 74370->74354 74371->74363 74372->74131 74373->74140 74374->74147 74375->74149 74376->74153 74377->74162 74378->74144 74379->74144 74380->74161 74381->74161 74382->74163 74383->74169 74384->74136 74386 6926c __EH_prolog 74385->74386 74387 692fc 74386->74387 74391 692a4 74386->74391 74389 4965d VariantClear 74387->74389 74388 4965d VariantClear 74390 54d91 74388->74390 74389->74390 74390->74098 74390->74120 74390->74288 74391->74388 74393 554ca __EH_prolog 74392->74393 74395 4965d VariantClear 74393->74395 74397 55507 74393->74397 74394 4965d VariantClear 74396 55567 74394->74396 74399 55528 74395->74399 74396->74182 74396->74226 74397->74394 74398 55572 74400 4965d VariantClear 74398->74400 74399->74397 74399->74398 74401 5558e 74400->74401 74553 54cac VariantClear __EH_prolog 74401->74553 74403 555a1 74403->74396 74554 54cac VariantClear __EH_prolog 74403->74554 74405 555b8 74405->74396 74555 54cac VariantClear __EH_prolog 74405->74555 74408 5563a __EH_prolog 74407->74408 74410 55679 74408->74410 74556 63558 10 API calls 2 library calls 74408->74556 74411 5571a 74410->74411 74412 42f1c 2 API calls 74410->74412 74411->74186 74413 55696 74412->74413 74557 63333 malloc _CxxThrowException free 74413->74557 74415 556a2 74416 556c5 74415->74416 74417 556ad 74415->74417 74419 556b4 74416->74419 74559 44adf wcscmp 74416->74559 74558 57853 5 API calls 2 library calls 74417->74558 74421 55707 74419->74421 74561 41089 malloc _CxxThrowException free _CxxThrowException 74419->74561 74562 431e5 malloc _CxxThrowException free _CxxThrowException 74421->74562 74422 556d2 74422->74419 74560 57853 5 API calls 2 library calls 74422->74560 74425 55712 74563 41e40 free 74425->74563 74564 42ba6 74428->74564 74432 558c8 __EH_prolog 74431->74432 74433 42e04 2 API calls 74432->74433 74434 558e9 74433->74434 74567 46c72 74434->74567 74437 55905 74439 55a23 74437->74439 74497 55a01 74437->74497 74682 55bcf malloc _CxxThrowException 74437->74682 74438 55b2d 74854 47bf0 74504->74854 74515->74187 74516->74193 74517->74194 74519 41e0c ctype 2 API calls 74518->74519 74520 42e11 74519->74520 74520->74203 74521->74214 74522->74234 74526->74208 74528 5718d 74527->74528 74529 5714b 74527->74529 74528->74287 74529->74528 74885 54dff 7 API calls 2 library calls 74529->74885 74531->74220 74532->74232 74533->74226 74534->74241 74535->74256 74551->74217 74552->74226 74553->74403 74554->74405 74555->74396 74556->74410 74557->74415 74558->74419 74559->74422 74560->74419 74561->74421 74562->74425 74563->74411 74565 41e0c ctype 2 API calls 74564->74565 74566 42bbb 74565->74566 74566->74191 74569 46c7c __EH_prolog 74567->74569 74568 46cd3 74571 46ce2 74568->74571 74574 46d87 74568->74574 74569->74568 74570 46cb7 74569->74570 74572 42f88 3 API calls 74570->74572 74573 42f88 3 API calls 74571->74573 74598 46cc7 74572->74598 74578 46cf5 74573->74578 74581 46f4a 74574->74581 74727 42e47 74574->74727 74579 46d4a 74578->74579 74582 46d0b 74578->74582 74584 46fd1 74581->74584 74586 46f7e 74581->74586 74598->74437 74598->74438 74728 42e57 74727->74728 74857 4759a 74854->74857 74885->74528 74887->74306 74888->74300 74889->74300 74891 5719a __EH_prolog 74890->74891 74892 571b0 74891->74892 74896 571dd 74891->74896 74893 54d78 VariantClear 74892->74893 74895 571b7 74893->74895 74895->74063 74903 56fc5 74896->74903 74897 572b4 74898 572c0 74897->74898 74899 54d78 VariantClear 74897->74899 74898->74895 74900 57140 7 API calls 74898->74900 74899->74898 74900->74895 74901 57236 74901->74895 74901->74897 74902 572a3 SetFileSecurityW 74901->74902 74902->74897 74904 56fcf __EH_prolog 74903->74904 74929 544a6 74904->74929 74906 5706a 74932 568ac 74906->74932 74910 5709e 74956 41e40 free 74910->74956 74912 57029 74912->74906 74951 54dff 7 API calls 2 library calls 74912->74951 74913 57051 74913->74906 74918 511b4 107 API calls 74913->74918 74916 5712e 74916->74901 74917 570c0 74952 46096 15 API calls 2 library calls 74917->74952 74918->74906 74920 570d1 74921 570e2 74920->74921 74953 54dff 7 API calls 2 library calls 74920->74953 74925 570e6 74921->74925 74954 56b5e 69 API calls 2 library calls 74921->74954 74924 570fd 74924->74925 74926 57103 74924->74926 74925->74910 74955 41e40 free 74926->74955 74928 5710b 74928->74916 74930 42e04 2 API calls 74929->74930 74931 544be 74930->74931 74931->74906 74931->74912 74950 56e71 12 API calls 2 library calls 74931->74950 74933 568b6 __EH_prolog 74932->74933 74934 56921 74933->74934 74936 47d4b 6 API calls 74933->74936 74949 568c5 74933->74949 74935 56962 74934->74935 74938 56998 74934->74938 74959 56a17 6 API calls 2 library calls 74934->74959 74935->74938 74960 42dcd malloc _CxxThrowException 74935->74960 74941 56906 74936->74941 74937 569e1 74963 4bcf8 CloseHandle 74937->74963 74938->74937 74957 47c3b SetFileTime 74938->74957 74941->74934 74958 54dff 7 API calls 2 library calls 74941->74958 74944 5697a 74961 56b09 13 API calls __EH_prolog 74944->74961 74947 5698c 74962 41e40 free 74947->74962 74949->74910 74949->74917 74950->74912 74951->74913 74952->74920 74953->74921 74954->74924 74955->74928 74956->74916 74957->74937 74958->74934 74959->74935 74960->74944 74961->74947 74962->74938 74963->74949 74964 6a7c5 74972 6a96b 74964->74972 74998 6a7e9 74964->74998 74965 6ade3 75075 41e40 free 74965->75075 74967 6a952 74967->74972 75056 6e0b0 6 API calls 74967->75056 74968 6adeb 75076 41e40 free 74968->75076 74972->74965 74983 6ac1e 74972->74983 74996 6ac6c 74972->74996 75011 6ad88 74972->75011 75015 6ad17 74972->75015 75017 6acbc 74972->75017 75031 5101c 74972->75031 75034 698f2 74972->75034 75040 6cc6f 74972->75040 75057 69531 5 API calls __EH_prolog 74972->75057 75058 680c1 malloc _CxxThrowException __EH_prolog 74972->75058 75059 6c820 5 API calls 2 library calls 74972->75059 75060 6814d 6 API calls 74972->75060 75061 68125 free ctype 74972->75061 74973 6adf3 74974 6ae99 74973->74974 74978 804d2 malloc _CxxThrowException free _CxxThrowException memcpy 74973->74978 74975 41e0c ctype 2 API calls 74974->74975 74979 6aea9 memset memset 74975->74979 74978->74973 74981 6aedd 74979->74981 74980 6ac26 75063 41e40 free 74980->75063 75077 41e40 free 74981->75077 75062 41e40 free 74983->75062 74986 6aee5 75078 41e40 free 74986->75078 74990 6aef0 75079 41e40 free 74990->75079 74994 6c430 75081 41e40 free 74994->75081 75064 41e40 free 74996->75064 74997 6c438 75082 41e40 free 74997->75082 74998->74967 75049 6e0b0 6 API calls 74998->75049 75050 804d2 74998->75050 75002 6c443 75083 41e40 free 75002->75083 75003 6ac85 75065 41e40 free 75003->75065 75006 6c44e 75084 41e40 free 75006->75084 75008 6ac2e 75080 41e40 free 75008->75080 75009 6c459 75072 68125 free ctype 75011->75072 75069 68125 free ctype 75015->75069 75016 6ad93 75073 41e40 free 75016->75073 75066 68125 free ctype 75017->75066 75021 6acc7 75067 41e40 free 75021->75067 75022 6ad3c 75070 41e40 free 75022->75070 75023 6adac 75074 41e40 free 75023->75074 75027 6ace0 75068 41e40 free 75027->75068 75028 6ad55 75071 41e40 free 75028->75071 75085 4b95a 75031->75085 75035 698fc __EH_prolog 75034->75035 75092 69987 75035->75092 75037 69970 75037->74972 75039 69911 75039->75037 75096 6ef8d 12 API calls 2 library calls 75039->75096 75136 8f445 75040->75136 75142 85505 75040->75142 75146 8cf91 75040->75146 75041 6cc8b 75045 6cccb 75041->75045 75154 6979e VariantClear __EH_prolog 75041->75154 75043 6ccb1 75043->75045 75155 6cae9 VariantClear 75043->75155 75045->74972 75049->74998 75051 804df 75050->75051 75052 80513 75050->75052 75053 804e8 _CxxThrowException 75051->75053 75054 804fd 75051->75054 75052->74998 75053->75054 75787 80551 malloc _CxxThrowException free memcpy ctype 75054->75787 75056->74972 75057->74972 75058->74972 75059->74972 75060->74972 75061->74972 75062->74980 75063->75008 75064->75003 75065->75008 75066->75021 75067->75027 75068->75008 75069->75022 75070->75028 75071->75008 75072->75016 75073->75023 75074->75008 75075->74968 75076->74973 75077->74986 75078->74990 75079->75008 75080->74994 75081->74997 75082->75002 75083->75006 75084->75009 75086 4b969 75085->75086 75089 4b97d 75085->75089 75087 47731 5 API calls 75086->75087 75086->75089 75088 4b9ee 75087->75088 75088->75089 75091 4b8ec GetLastError 75088->75091 75089->74972 75091->75089 75093 69991 __EH_prolog 75092->75093 75097 980aa 75093->75097 75094 699a8 75094->75039 75096->75037 75098 980b4 __EH_prolog 75097->75098 75099 41e0c ctype 2 API calls 75098->75099 75100 980bf 75099->75100 75101 980d3 75100->75101 75103 8bdb5 75100->75103 75101->75094 75104 8bdbf __EH_prolog 75103->75104 75109 8be69 75104->75109 75106 8bdef 75107 42e04 2 API calls 75106->75107 75108 8be16 75107->75108 75108->75101 75110 8be73 __EH_prolog 75109->75110 75113 85e2b 75110->75113 75112 8be7f 75112->75106 75114 85e35 __EH_prolog 75113->75114 75119 808b6 75114->75119 75116 85e41 75124 5dfc9 malloc _CxxThrowException __EH_prolog 75116->75124 75118 85e57 75118->75112 75125 49c60 75119->75125 75121 808c4 75130 49c8f GetModuleHandleA GetProcAddress 75121->75130 75123 808f3 __aulldiv 75123->75116 75124->75118 75135 49c4d GetCurrentProcess GetProcessAffinityMask 75125->75135 75127 49c6e 75128 49c80 GetSystemInfo 75127->75128 75129 49c79 75127->75129 75128->75121 75129->75121 75131 49cc4 GlobalMemoryStatusEx 75130->75131 75132 49cef GlobalMemoryStatus 75130->75132 75131->75132 75134 49cce 75131->75134 75133 49d08 75132->75133 75133->75134 75134->75123 75135->75127 75137 8f455 75136->75137 75156 51092 75137->75156 75140 8f478 75140->75041 75143 8550f __EH_prolog 75142->75143 75208 84e8a 75143->75208 75147 8cf9b __EH_prolog 75146->75147 75148 8f445 14 API calls 75147->75148 75149 8d018 75148->75149 75151 8d01f 75149->75151 75431 91511 75149->75431 75151->75041 75152 8d08b 75152->75151 75437 92c5d 11 API calls 2 library calls 75152->75437 75154->75043 75155->75045 75158 4b95a 6 API calls 75156->75158 75157 510aa 75157->75140 75159 8f1b2 75157->75159 75158->75157 75160 8f1bc __EH_prolog 75159->75160 75169 51168 75160->75169 75162 8f1d3 75163 8f21c _CxxThrowException 75162->75163 75164 8f231 memcpy 75162->75164 75165 8f1e6 75162->75165 75163->75164 75167 8f24c 75164->75167 75165->75140 75166 8f2f0 memmove 75166->75167 75167->75165 75167->75166 75168 8f31a memcpy 75167->75168 75168->75165 75172 5111c 75169->75172 75173 51130 75172->75173 75174 5115f 75173->75174 75177 4d331 75173->75177 75181 4b668 75173->75181 75174->75162 75179 4d355 75177->75179 75178 4d374 75178->75173 75179->75178 75180 4b668 10 API calls 75179->75180 75180->75178 75184 4b675 75181->75184 75186 4b6aa 75184->75186 75187 4b81b 75184->75187 75188 47731 5 API calls 75184->75188 75189 4b7e7 75184->75189 75191 4b811 75184->75191 75193 4b7ad 75184->75193 75198 4b864 75184->75198 75205 47b4f ReadFile 75184->75205 75185 4b8aa GetLastError 75185->75186 75186->75173 75187->75186 75190 4b839 memcpy 75187->75190 75188->75184 75192 47731 5 API calls 75189->75192 75189->75198 75190->75186 75206 4b8ec GetLastError 75191->75206 75194 4b80d 75192->75194 75193->75184 75199 4b8c7 75193->75199 75204 c6a20 VirtualAlloc 75193->75204 75194->75191 75194->75198 75200 47b7c 75198->75200 75199->75186 75201 47b89 75200->75201 75207 47b4f ReadFile 75201->75207 75203 47b9a 75203->75185 75203->75186 75204->75193 75205->75184 75206->75186 75207->75203 75209 84e94 __EH_prolog 75208->75209 75210 42e04 2 API calls 75209->75210 75311 84f1d 75209->75311 75211 84ed7 75210->75211 75340 57fc5 75211->75340 75213 84f0a 75217 4965d VariantClear 75213->75217 75214 84f37 75215 84f41 75214->75215 75216 84f63 75214->75216 75218 4965d VariantClear 75215->75218 75219 42f88 3 API calls 75216->75219 75220 84f15 75217->75220 75221 84f4c 75218->75221 75222 84f71 75219->75222 75361 41e40 free 75220->75361 75362 41e40 free 75221->75362 75225 4965d VariantClear 75222->75225 75226 84f80 75225->75226 75363 55bcf malloc _CxxThrowException 75226->75363 75228 84f9a 75229 42e47 2 API calls 75228->75229 75230 84fad 75229->75230 75231 42f1c 2 API calls 75230->75231 75232 84fbd 75231->75232 75233 42e04 2 API calls 75232->75233 75234 84fd1 75233->75234 75235 42e04 2 API calls 75234->75235 75241 84fdd 75235->75241 75236 85404 75408 41e40 free 75236->75408 75238 8540c 75409 41e40 free 75238->75409 75240 85414 75410 41e40 free 75240->75410 75241->75236 75364 55bcf malloc _CxxThrowException 75241->75364 75244 85099 75246 42da9 2 API calls 75244->75246 75245 8541c 75411 41e40 free 75245->75411 75248 850a9 75246->75248 75250 42fec 3 API calls 75248->75250 75249 85424 75412 41e40 free 75249->75412 75252 850b6 75250->75252 75365 41e40 free 75252->75365 75253 8542c 75413 41e40 free 75253->75413 75256 850be 75366 41e40 free 75256->75366 75258 850cd 75259 42f88 3 API calls 75258->75259 75260 850e3 75259->75260 75261 85100 75260->75261 75262 850f1 75260->75262 75373 43044 malloc _CxxThrowException free ctype 75261->75373 75367 430ea 75262->75367 75265 850fe 75374 51029 6 API calls 75265->75374 75267 8511a 75268 8516b 75267->75268 75269 85120 75267->75269 75381 5089e malloc _CxxThrowException free _CxxThrowException memcpy 75268->75381 75375 41e40 free 75269->75375 75272 85187 75276 804d2 5 API calls 75272->75276 75273 85128 75376 41e40 free 75273->75376 75275 85130 75377 41e40 free 75275->75377 75278 851ba 75276->75278 75382 80516 malloc _CxxThrowException ctype 75278->75382 75279 85138 75378 41e40 free 75279->75378 75282 851c5 75287 8522d 75282->75287 75288 851f5 75282->75288 75283 85140 75379 41e40 free 75283->75379 75285 85148 75380 41e40 free 75285->75380 75289 42e04 2 API calls 75287->75289 75383 41e40 free 75288->75383 75337 85235 75289->75337 75291 851fd 75384 41e40 free 75291->75384 75294 85205 75385 41e40 free 75294->75385 75295 8532e 75394 41e40 free 75295->75394 75298 8520d 75386 41e40 free 75298->75386 75299 85347 75299->75236 75301 85358 75299->75301 75395 41e40 free 75301->75395 75302 85215 75387 41e40 free 75302->75387 75304 853a3 75401 41e40 free 75304->75401 75306 85360 75396 41e40 free 75306->75396 75307 8521d 75388 41e40 free 75307->75388 75311->75041 75312 85368 75397 41e40 free 75312->75397 75315 853bc 75402 41e40 free 75315->75402 75317 85370 75398 41e40 free 75317->75398 75320 853c4 75403 41e40 free 75320->75403 75322 804d2 5 API calls 75322->75337 75323 85378 75399 41e40 free 75323->75399 75325 853cc 75404 41e40 free 75325->75404 75326 85380 75400 41e40 free 75326->75400 75330 853d4 75405 41e40 free 75330->75405 75332 853dc 75406 41e40 free 75332->75406 75334 853e4 75407 41e40 free 75334->75407 75337->75295 75337->75304 75337->75322 75338 42e04 2 API calls 75337->75338 75389 8545c 5 API calls 2 library calls 75337->75389 75390 51029 6 API calls 75337->75390 75391 5089e malloc _CxxThrowException free _CxxThrowException memcpy 75337->75391 75392 80516 malloc _CxxThrowException ctype 75337->75392 75393 41e40 free 75337->75393 75338->75337 75341 57fcf __EH_prolog 75340->75341 75342 58061 75341->75342 75344 5805c 75341->75344 75345 58019 75341->75345 75348 57ff4 75341->75348 75342->75344 75357 58025 75342->75357 75422 49630 VariantClear 75344->75422 75345->75348 75349 5801e 75345->75349 75346 580b8 75351 4965d VariantClear 75346->75351 75359 5800a 75348->75359 75414 4950d 75348->75414 75352 58042 75349->75352 75353 58022 75349->75353 75355 580c0 75351->75355 75420 49597 VariantClear 75352->75420 75356 58032 75353->75356 75353->75357 75355->75213 75355->75214 75419 49604 VariantClear 75356->75419 75357->75359 75421 495df VariantClear 75357->75421 75423 49736 VariantClear 75359->75423 75361->75311 75362->75311 75363->75228 75364->75244 75365->75256 75366->75258 75368 430fd 75367->75368 75369 41e0c ctype 2 API calls 75368->75369 75372 4311d 75368->75372 75370 43113 75369->75370 75430 41e40 free 75370->75430 75372->75265 75373->75265 75374->75267 75375->75273 75376->75275 75377->75279 75378->75283 75379->75285 75380->75311 75381->75272 75382->75282 75383->75291 75384->75294 75385->75298 75386->75302 75387->75307 75388->75311 75389->75337 75390->75337 75391->75337 75392->75337 75393->75337 75394->75299 75395->75306 75396->75312 75397->75317 75398->75323 75399->75326 75400->75311 75401->75315 75402->75320 75403->75325 75404->75330 75405->75332 75406->75334 75407->75311 75408->75238 75409->75240 75410->75245 75411->75249 75412->75253 75413->75311 75424 49767 75414->75424 75416 49518 SysAllocStringLen 75417 4954f 75416->75417 75418 49539 _CxxThrowException 75416->75418 75417->75359 75418->75417 75419->75359 75420->75359 75421->75359 75422->75359 75423->75346 75425 49770 75424->75425 75426 49779 75424->75426 75425->75416 75429 49686 VariantClear 75426->75429 75428 49780 75428->75416 75429->75428 75430->75372 75432 9151b __EH_prolog 75431->75432 75438 910d3 75432->75438 75435 91589 75435->75152 75436 91552 _CxxThrowException 75436->75152 75437->75151 75439 910dd __EH_prolog 75438->75439 75470 8d1b7 75439->75470 75442 912ef 75442->75435 75442->75436 75443 911f4 75443->75442 75469 4b95a 6 API calls 75443->75469 75444 9139e 75444->75442 75445 913c4 75444->75445 75446 41e0c ctype 2 API calls 75444->75446 75447 51168 10 API calls 75445->75447 75446->75445 75450 913da 75447->75450 75448 51168 10 API calls 75448->75443 75452 913f9 75450->75452 75462 913de 75450->75462 75512 8ef67 _CxxThrowException 75450->75512 75477 8f047 75452->75477 75455 914ba 75516 90943 50 API calls 2 library calls 75455->75516 75456 91450 75481 906ae 75456->75481 75460 914e7 75517 72db9 free ctype 75460->75517 75518 41e40 free 75462->75518 75465 9148e 75466 8f047 _CxxThrowException 75465->75466 75467 914ac 75466->75467 75467->75455 75515 8ef67 _CxxThrowException 75467->75515 75469->75444 75519 8d23c 75470->75519 75472 8d1ed 75526 41e40 free 75472->75526 75474 8d209 75527 41e40 free 75474->75527 75476 8d21c 75476->75442 75476->75443 75476->75448 75478 8f063 75477->75478 75479 8f072 75478->75479 75555 8ef67 _CxxThrowException 75478->75555 75479->75455 75479->75456 75513 8ef67 _CxxThrowException 75479->75513 75482 906b8 __EH_prolog 75481->75482 75556 903f4 75482->75556 75487 908e3 _CxxThrowException 75489 908f7 75487->75489 75493 8b8dc ctype free 75489->75493 75490 908ae 75684 41e40 free 75490->75684 75491 4429a 3 API calls 75502 90715 75491->75502 75495 90914 75493->75495 75494 908b6 75685 41e40 free 75494->75685 75687 41e40 free 75495->75687 75496 41e0c ctype 2 API calls 75496->75502 75498 908be 75686 8c149 free ctype 75498->75686 75501 9091c 75688 41e40 free 75501->75688 75502->75487 75502->75489 75502->75491 75502->75496 75510 90877 75502->75510 75511 8ef67 _CxxThrowException 75502->75511 75586 512a5 75502->75586 75591 881ec 75502->75591 75504 90924 75689 41e40 free 75504->75689 75507 9092c 75690 8c149 free ctype 75507->75690 75509 908d0 75509->75460 75509->75465 75514 8ef67 _CxxThrowException 75509->75514 75677 8b8dc 75510->75677 75511->75502 75512->75452 75513->75456 75514->75465 75515->75455 75516->75460 75517->75462 75518->75442 75528 8d2b8 75519->75528 75522 8d25e 75545 41e40 free 75522->75545 75525 8d275 75525->75472 75526->75474 75527->75476 75547 41e40 free 75528->75547 75530 8d2c8 75548 41e40 free 75530->75548 75532 8d2dc 75549 41e40 free 75532->75549 75534 8d2e7 75550 41e40 free 75534->75550 75536 8d2f2 75551 41e40 free 75536->75551 75538 8d2fd 75552 41e40 free 75538->75552 75540 8d308 75553 41e40 free 75540->75553 75542 8d313 75543 8d246 75542->75543 75554 41e40 free 75542->75554 75543->75522 75546 41e40 free 75543->75546 75545->75525 75546->75522 75547->75530 75548->75532 75549->75534 75550->75536 75551->75538 75552->75540 75553->75542 75554->75543 75555->75479 75557 8f047 _CxxThrowException 75556->75557 75558 90407 75557->75558 75559 8f047 _CxxThrowException 75558->75559 75560 90475 75558->75560 75561 90421 75559->75561 75563 9049a 75560->75563 75694 8fa3f 22 API calls 2 library calls 75560->75694 75565 9043e 75561->75565 75691 8ef67 _CxxThrowException 75561->75691 75573 904b8 75563->75573 75695 9159a malloc _CxxThrowException free ctype 75563->75695 75564 904e8 75697 97c4a malloc _CxxThrowException free ctype 75564->75697 75692 8f93c 7 API calls 2 library calls 75565->75692 75566 90492 75571 8f047 _CxxThrowException 75566->75571 75569 904cd 75696 8fff0 9 API calls 2 library calls 75569->75696 75571->75563 75573->75564 75573->75569 75574 904db 75578 8f047 _CxxThrowException 75574->75578 75576 904e3 75582 9054a 75576->75582 75699 8ef67 _CxxThrowException 75576->75699 75577 90446 75579 9046d 75577->75579 75693 8ef67 _CxxThrowException 75577->75693 75578->75576 75581 8f047 _CxxThrowException 75579->75581 75580 904f3 75580->75576 75698 5089e malloc _CxxThrowException free _CxxThrowException memcpy 75580->75698 75581->75560 75582->75502 75587 804d2 5 API calls 75586->75587 75588 512ad 75587->75588 75589 41e0c ctype 2 API calls 75588->75589 75590 512b4 75589->75590 75590->75502 75592 881f6 __EH_prolog 75591->75592 75700 8f749 75592->75700 75594 8824e 75762 891cc free ctype 75594->75762 75595 8823b 75595->75594 75704 88f58 75595->75704 75658 88667 75658->75502 75678 8b8e6 __EH_prolog 75677->75678 75785 41e40 free 75678->75785 75680 8b90d 75786 7e647 free ctype 75680->75786 75682 8b915 75683 41e40 free 75682->75683 75683->75490 75684->75494 75685->75498 75686->75509 75687->75501 75688->75504 75689->75507 75690->75509 75691->75565 75692->75577 75693->75579 75694->75566 75695->75573 75696->75574 75697->75580 75698->75580 75699->75582 75701 8f779 75700->75701 75702 8f782 _CxxThrowException 75701->75702 75703 8f797 75701->75703 75702->75703 75703->75595 75705 88f6a 75704->75705 75763 57cec 75705->75763 75710 57cec 4 API calls 75711 88fcf 75710->75711 75712 512d4 4 API calls 75711->75712 75762->75658 75764 57d3f 75763->75764 75765 57cff 75763->75765 75771 512d4 75764->75771 75766 57d07 _CxxThrowException 75765->75766 75767 57d1c 75765->75767 75766->75767 75779 41e40 free 75767->75779 75769 57d23 75770 41e0c ctype 2 API calls 75769->75770 75770->75764 75772 512e7 75771->75772 75778 51327 75771->75778 75773 51304 75772->75773 75774 512ef _CxxThrowException 75772->75774 75780 41e40 free 75773->75780 75774->75773 75776 5130b 75778->75710 75779->75769 75780->75776 75785->75680 75786->75682 75787->75052 75788 6d3c2 75789 6d3e9 75788->75789 75790 4965d VariantClear 75789->75790 75791 6d42a 75790->75791 75792 6d883 2 API calls 75791->75792 75793 6d4b1 75792->75793 75879 68d4a 75793->75879 75796 68b05 VariantClear 75799 6d4e3 75796->75799 75896 62a72 75799->75896 75800 42fec 3 API calls 75801 6d594 75800->75801 75802 6d742 75801->75802 75803 6d5cd 75801->75803 75927 6cd49 malloc _CxxThrowException free 75802->75927 75805 6d7d9 75803->75805 75900 69317 75803->75900 75930 41e40 free 75805->75930 75806 6d754 75809 42fec 3 API calls 75806->75809 75813 6d763 75809->75813 75810 6d7e1 75931 41e40 free 75810->75931 75812 6d5f1 75815 804d2 5 API calls 75812->75815 75928 41e40 free 75813->75928 75818 6d5f9 75815->75818 75817 6d7e9 75820 6326b free 75817->75820 75906 6e332 75818->75906 75819 6d76b 75929 41e40 free 75819->75929 75830 6d69a 75820->75830 75824 6d773 75826 6326b free 75824->75826 75826->75830 75827 6d610 75913 41e40 free 75827->75913 75829 6d618 75914 6326b 75829->75914 75832 6d2a8 75832->75830 75854 6d883 75832->75854 75835 42fec 3 API calls 75836 6d361 75835->75836 75837 42fec 3 API calls 75836->75837 75838 6d36d 75837->75838 75866 6d0e1 75838->75866 75840 6d380 75841 6d665 75840->75841 75842 6d38a 75840->75842 75855 6d88d __EH_prolog 75854->75855 75856 42e04 2 API calls 75855->75856 75857 6d8c6 75856->75857 75858 42e04 2 API calls 75857->75858 75859 6d8d2 75858->75859 75860 42e04 2 API calls 75859->75860 75861 6d8de 75860->75861 75932 62b63 75861->75932 75864 62b63 2 API calls 75865 6d34f 75864->75865 75865->75835 75867 6d0eb __EH_prolog 75866->75867 75868 6d10b 75867->75868 75869 6d138 75867->75869 75870 41e0c ctype 2 API calls 75868->75870 75871 41e0c ctype 2 API calls 75869->75871 75872 6d112 75869->75872 75870->75872 75873 6d14b 75871->75873 75872->75840 75874 42fec 3 API calls 75873->75874 75880 68d54 __EH_prolog 75879->75880 75894 68da4 75880->75894 75940 42b55 malloc _CxxThrowException free _CxxThrowException ctype 75880->75940 75881 68e15 75884 68e2d 75881->75884 75886 68e5e 75881->75886 75888 68e21 75881->75888 75882 68e09 75883 4965d VariantClear 75882->75883 75887 68e11 75883->75887 75885 68e2b 75884->75885 75884->75886 75891 4965d VariantClear 75885->75891 75890 4965d VariantClear 75886->75890 75887->75796 75941 43097 malloc _CxxThrowException free SysStringLen ctype 75888->75941 75890->75887 75893 68e47 75891->75893 75893->75887 75942 68e7c 6 API calls __EH_prolog 75893->75942 75894->75881 75894->75882 75894->75887 75897 62a82 75896->75897 75898 42e04 2 API calls 75897->75898 75899 62a9f 75898->75899 75899->75800 75901 69321 __EH_prolog 75900->75901 75905 69360 75901->75905 75943 49686 VariantClear 75901->75943 75902 4965d VariantClear 75903 693d0 75902->75903 75903->75805 75903->75812 75905->75902 75907 6e33c __EH_prolog 75906->75907 75908 41e0c ctype 2 API calls 75907->75908 75909 6e34a 75908->75909 75910 6d608 75909->75910 75944 6e3d1 malloc _CxxThrowException __EH_prolog 75909->75944 75912 41e40 free 75910->75912 75912->75827 75913->75829 75915 63275 __EH_prolog 75914->75915 75945 62c0b 75915->75945 75918 62c0b ctype free 75919 63296 75918->75919 75950 41e40 free 75919->75950 75921 6329e 75951 41e40 free 75921->75951 75923 632a6 75952 41e40 free 75923->75952 75925 632ae 75925->75832 75927->75806 75928->75819 75929->75824 75930->75810 75931->75817 75933 62b6d __EH_prolog 75932->75933 75934 42e04 2 API calls 75933->75934 75935 62b9a 75934->75935 75936 42e04 2 API calls 75935->75936 75937 62ba5 75936->75937 75937->75864 75940->75894 75941->75885 75942->75887 75943->75905 75944->75910 75953 41e40 free 75945->75953 75947 62c16 75954 41e40 free 75947->75954 75949 62c1e 75949->75918 75950->75921 75951->75923 75952->75925 75953->75947 75954->75949 75955 c6bc6 75956 c6bcd 75955->75956 75957 c6bca 75955->75957 75956->75957 75958 c6bd1 malloc 75956->75958 75958->75957 75959 80343 75964 8035f 75959->75964 75962 80358 75965 80369 __EH_prolog 75964->75965 75981 5139e 75965->75981 75970 80143 ctype free 75971 8039a 75970->75971 75991 41e40 free 75971->75991 75973 803a2 75992 41e40 free 75973->75992 75975 803aa 75993 803d8 75975->75993 75980 41e40 free 75980->75962 75982 513b3 75981->75982 75983 513ae 75981->75983 75985 801c4 75982->75985 76009 d7ea0 SetEvent GetLastError 75983->76009 75987 801ce __EH_prolog 75985->75987 75989 80203 75987->75989 76011 41e40 free 75987->76011 75988 8020b 75988->75970 76010 41e40 free 75989->76010 75991->75973 75992->75975 75994 803e2 __EH_prolog 75993->75994 75995 5139e ctype 2 API calls 75994->75995 75996 803fb 75995->75996 76012 d7d50 75996->76012 75998 80403 75999 d7d50 ctype 2 API calls 75998->75999 76000 8040b 75999->76000 76001 d7d50 ctype 2 API calls 76000->76001 76002 803b7 76001->76002 76003 8004a 76002->76003 76004 80054 __EH_prolog 76003->76004 76018 41e40 free 76004->76018 76006 80067 76019 41e40 free 76006->76019 76008 8006f 76008->75962 76008->75980 76009->75982 76010->75988 76011->75987 76013 d7d59 CloseHandle 76012->76013 76014 d7d7b 76012->76014 76015 d7d75 76013->76015 76016 d7d64 GetLastError 76013->76016 76014->75998 76015->76014 76016->76014 76017 d7d6e 76016->76017 76017->75998 76018->76006 76019->76008 76020 6d948 76050 6dac7 76020->76050 76022 6d94f 76023 42e04 2 API calls 76022->76023 76024 6d97b 76023->76024 76025 42e04 2 API calls 76024->76025 76026 6d987 76025->76026 76029 6d9e7 76026->76029 76058 46404 76026->76058 76031 6da0f 76029->76031 76048 6da36 76029->76048 76083 41e40 free 76031->76083 76034 6d9bf 76081 41e40 free 76034->76081 76035 6da94 76087 41e40 free 76035->76087 76036 6da17 76084 41e40 free 76036->76084 76040 6d9c7 76082 41e40 free 76040->76082 76041 6da9c 76088 41e40 free 76041->76088 76042 42da9 2 API calls 76042->76048 76045 6d9cf 76046 804d2 5 API calls 76046->76048 76048->76035 76048->76042 76048->76046 76085 41524 malloc _CxxThrowException __EH_prolog ctype 76048->76085 76086 41e40 free 76048->76086 76051 6dad1 __EH_prolog 76050->76051 76052 42e04 2 API calls 76051->76052 76053 6db33 76052->76053 76054 42e04 2 API calls 76053->76054 76055 6db3f 76054->76055 76056 42e04 2 API calls 76055->76056 76057 6db55 76056->76057 76057->76022 76089 4631f 76058->76089 76061 46423 76063 42f88 3 API calls 76061->76063 76062 42f88 3 API calls 76062->76061 76064 4643d 76063->76064 76065 57e5a 76064->76065 76066 57e64 __EH_prolog 76065->76066 76145 58179 76066->76145 76069 67ebb free 76070 57e7f 76069->76070 76071 42fec 3 API calls 76070->76071 76072 57e9a 76071->76072 76073 42da9 2 API calls 76072->76073 76074 57ea7 76073->76074 76075 46c72 44 API calls 76074->76075 76076 57eb7 76075->76076 76150 41e40 free 76076->76150 76078 57ecb 76079 57ed8 76078->76079 76151 4757d GetLastError 76078->76151 76079->76029 76079->76034 76081->76040 76082->76045 76083->76036 76084->76045 76085->76048 76086->76048 76087->76041 76088->76045 76090 49245 76089->76090 76093 490da 76090->76093 76094 490e4 __EH_prolog 76093->76094 76095 42f88 3 API calls 76094->76095 76096 490f7 76095->76096 76097 4915d 76096->76097 76103 49109 76096->76103 76098 42e04 2 API calls 76097->76098 76099 49165 76098->76099 76100 491be 76099->76100 76104 49174 76099->76104 76139 46332 6 API calls 2 library calls 76100->76139 76102 46414 76102->76061 76102->76062 76103->76102 76106 42e47 2 API calls 76103->76106 76107 42f88 3 API calls 76104->76107 76105 4917d 76131 491ca 76105->76131 76137 4859e malloc _CxxThrowException free _CxxThrowException 76105->76137 76108 49122 76106->76108 76107->76105 76134 48f57 memmove 76108->76134 76111 4912e 76114 4914d 76111->76114 76135 431e5 malloc _CxxThrowException free _CxxThrowException 76111->76135 76113 49185 76117 42e04 2 API calls 76113->76117 76136 41e40 free 76114->76136 76118 49197 76117->76118 76119 491ce 76118->76119 76120 4919f 76118->76120 76122 42f88 3 API calls 76119->76122 76121 491b9 76120->76121 76138 41089 malloc _CxxThrowException free _CxxThrowException 76120->76138 76140 43199 malloc _CxxThrowException free _CxxThrowException 76121->76140 76122->76121 76125 491e6 76141 48f57 memmove 76125->76141 76127 491ee 76128 42fec 3 API calls 76127->76128 76133 491f2 76127->76133 76130 49212 76128->76130 76142 431e5 malloc _CxxThrowException free _CxxThrowException 76130->76142 76144 41e40 free 76131->76144 76143 41e40 free 76133->76143 76134->76111 76135->76114 76136->76102 76137->76113 76138->76121 76139->76105 76140->76125 76141->76127 76142->76133 76143->76131 76144->76102 76147 58906 76145->76147 76146 57e77 76146->76069 76147->76146 76152 58804 free ctype 76147->76152 76153 41e40 free 76147->76153 76150->76078 76151->76079 76152->76147 76153->76147 76154 7acd3 76155 7acf1 76154->76155 76156 7ace0 76154->76156 76156->76155 76160 7acf8 76156->76160 76161 7c0b3 __EH_prolog 76160->76161 76165 7c0ed 76161->76165 76168 67193 76161->76168 76176 41e40 free 76161->76176 76163 7aceb 76167 41e40 free 76163->76167 76177 41e40 free 76165->76177 76167->76155 76169 6719d __EH_prolog 76168->76169 76178 72db9 free ctype 76169->76178 76171 671b3 76179 671d5 free __EH_prolog ctype 76171->76179 76173 671bf 76180 41e40 free 76173->76180 76175 671c7 76175->76161 76176->76161 76177->76163 76178->76171 76179->76173 76180->76175 76181 442d1 76182 442bd 76181->76182 76183 442c5 76182->76183 76184 41e0c ctype 2 API calls 76182->76184 76184->76183 76185 51ade 76186 51ae8 __EH_prolog 76185->76186 76236 413f5 76186->76236 76189 51b32 6 API calls 76191 51b8d 76189->76191 76199 51bf8 76191->76199 76254 51ea4 9 API calls 76191->76254 76192 51b24 _CxxThrowException 76192->76189 76194 51bdf 76255 427bb 76194->76255 76198 51c89 76250 51eb9 76198->76250 76199->76198 76262 61d73 5 API calls __EH_prolog 76199->76262 76204 51cb2 _CxxThrowException 76204->76198 76237 413ff __EH_prolog 76236->76237 76238 67ebb free 76237->76238 76239 4142b 76238->76239 76240 41438 76239->76240 76263 41212 free ctype 76239->76263 76242 41e0c ctype 2 API calls 76240->76242 76246 4144d 76242->76246 76243 414f4 76243->76189 76253 61d73 5 API calls __EH_prolog 76243->76253 76244 804d2 5 API calls 76244->76246 76246->76243 76246->76244 76248 41507 76246->76248 76264 41265 5 API calls 2 library calls 76246->76264 76265 41524 malloc _CxxThrowException __EH_prolog ctype 76246->76265 76249 42fec 3 API calls 76248->76249 76249->76243 76266 49313 GetCurrentProcess OpenProcessToken 76250->76266 76253->76192 76254->76194 76256 427e3 76255->76256 76257 427c7 76255->76257 76261 41e40 free 76256->76261 76257->76256 76258 41e0c ctype 2 API calls 76257->76258 76259 427da 76258->76259 76273 41e40 free 76259->76273 76261->76199 76262->76204 76263->76240 76264->76246 76265->76246 76267 49390 76266->76267 76268 4933a LookupPrivilegeValueW 76266->76268 76269 49382 76268->76269 76270 4934c AdjustTokenPrivileges 76268->76270 76272 49385 CloseHandle 76269->76272 76270->76269 76271 49372 GetLastError 76270->76271 76271->76272 76272->76267 76273->76256 76274 bf190 76275 41e0c ctype 2 API calls 76274->76275 76276 bf1b0 76275->76276 76277 5459e 76278 545ab 76277->76278 76279 545bc 76277->76279 76278->76279 76283 545c3 76278->76283 76284 545cd __EH_prolog 76283->76284 76312 579b2 free ctype 76284->76312 76286 545e8 76313 41e40 free 76286->76313 76288 545f3 76314 72db9 free ctype 76288->76314 76290 54609 76315 41e40 free 76290->76315 76292 54610 76316 41e40 free 76292->76316 76294 5461b 76317 41e40 free 76294->76317 76296 54626 76318 5794c free ctype 76296->76318 76298 54638 76319 72db9 free ctype 76298->76319 76300 5465b 76320 41e40 free 76300->76320 76302 5468e 76321 41e40 free 76302->76321 76304 546ae 76322 54733 free __EH_prolog ctype 76304->76322 76306 546be 76323 41e40 free 76306->76323 76308 546e8 76324 41e40 free 76308->76324 76310 545b6 76311 41e40 free 76310->76311 76311->76279 76312->76286 76313->76288 76314->76290 76315->76292 76316->76294 76317->76296 76318->76298 76319->76300 76320->76302 76321->76304 76322->76306 76323->76308 76324->76310 76326 c69d0 76327 c69d4 76326->76327 76328 c69d7 malloc 76326->76328 76329 4b5d9 76330 4b5e6 76329->76330 76334 4b5f7 76329->76334 76330->76334 76335 4b5fe 76330->76335 76336 4b608 __EH_prolog 76335->76336 76342 c6a40 VirtualFree 76336->76342 76338 4b63d 76339 4764c CloseHandle 76338->76339 76340 4b5f1 76339->76340 76341 41e40 free 76340->76341 76341->76334 76342->76338 76343 7c2e6 76344 7c52f 76343->76344 76347 7544f SetConsoleCtrlHandler 76344->76347 76346 7c53b 76347->76346 76348 47b20 76351 47ab2 76348->76351 76352 47ac5 76351->76352 76353 4759a 12 API calls 76352->76353 76354 47ade 76353->76354 76355 47b03 76354->76355 76356 47aeb SetFileTime 76354->76356 76359 47919 76355->76359 76356->76355 76360 47aac 76359->76360 76361 4793c 76359->76361 76361->76360 76362 47945 DeviceIoControl 76361->76362 76363 479e6 76362->76363 76364 47969 76362->76364 76365 479ef DeviceIoControl 76363->76365 76368 47a14 76363->76368 76364->76363 76370 479a7 76364->76370 76366 47a22 DeviceIoControl 76365->76366 76365->76368 76367 47a44 DeviceIoControl 76366->76367 76366->76368 76367->76368 76368->76360 76376 4780d 8 API calls ctype 76368->76376 76375 49252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 76370->76375 76371 47aa5 76372 477de 5 API calls 76371->76372 76372->76360 76374 479d0 76374->76363 76375->76374 76376->76371 76377 7a42c 76378 7a435 fputs 76377->76378 76379 7a449 76377->76379 76535 41fa0 fputc 76378->76535 76536 7545d 76379->76536 76383 42e04 2 API calls 76384 7a4a1 76383->76384 76540 61858 76384->76540 76386 7a4c9 76602 41e40 free 76386->76602 76388 7a4d8 76389 7a4ee 76388->76389 76603 7c7d7 76388->76603 76391 7a50e 76389->76391 76611 757fb 76389->76611 76621 7c73e 76391->76621 76395 7aae5 76798 72db9 free ctype 76395->76798 76397 7ac17 76799 72db9 free ctype 76397->76799 76398 41e0c ctype 2 API calls 76400 7a53a 76398->76400 76402 7a54d 76400->76402 76757 7b0fa malloc _CxxThrowException __EH_prolog 76400->76757 76401 7ac23 76403 7ac3a 76401->76403 76405 7ac35 76401->76405 76407 42fec 3 API calls 76402->76407 76801 7b96d _CxxThrowException 76403->76801 76800 7b988 33 API calls __aulldiv 76405->76800 76414 7a586 76407->76414 76409 7ac42 76802 41e40 free 76409->76802 76411 7ac4d 76803 63247 76411->76803 76639 7ad06 76414->76639 76418 7ac7d 76810 411c2 free __EH_prolog ctype 76418->76810 76422 7ac89 76811 7be0c free __EH_prolog ctype 76422->76811 76426 7ac98 76812 72db9 free ctype 76426->76812 76427 42e04 2 API calls 76429 7a636 76427->76429 76657 64345 76429->76657 76431 7aca4 76433 7a676 76535->76379 76537 75466 76536->76537 76538 75473 76536->76538 76813 4275e malloc _CxxThrowException free ctype 76537->76813 76538->76383 76541 61862 __EH_prolog 76540->76541 76814 6021a 76541->76814 76546 618b9 76828 61aa5 free __EH_prolog ctype 76546->76828 76548 61935 76833 61aa5 free __EH_prolog ctype 76548->76833 76549 618c7 76829 72db9 free ctype 76549->76829 76552 61944 76574 61966 76552->76574 76834 61d73 5 API calls __EH_prolog 76552->76834 76554 618d3 76554->76386 76555 804d2 5 API calls 76561 618db 76555->76561 76557 61958 _CxxThrowException 76557->76574 76558 619be 76837 6f1f1 malloc _CxxThrowException free _CxxThrowException 76558->76837 76560 42e04 2 API calls 76560->76574 76561->76548 76561->76555 76830 60144 malloc _CxxThrowException free _CxxThrowException 76561->76830 76831 41524 malloc _CxxThrowException __EH_prolog ctype 76561->76831 76832 41e40 free 76561->76832 76564 619d6 76566 67ebb free 76564->76566 76565 4631f 9 API calls 76565->76574 76567 619e1 76566->76567 76568 512d4 4 API calls 76567->76568 76570 619ea 76568->76570 76569 804d2 5 API calls 76569->76574 76571 67ebb free 76570->76571 76573 619f7 76571->76573 76575 512d4 4 API calls 76573->76575 76574->76558 76574->76560 76574->76565 76574->76569 76835 41524 malloc _CxxThrowException __EH_prolog ctype 76574->76835 76836 41e40 free 76574->76836 76584 619ff 76575->76584 76577 61a4f 76839 41e40 free 76577->76839 76579 41524 malloc _CxxThrowException 76579->76584 76580 61a57 76840 72db9 free ctype 76580->76840 76582 61a64 76841 72db9 free ctype 76582->76841 76584->76577 76584->76579 76586 61a83 76584->76586 76838 442e3 CharUpperW 76584->76838 76842 61d73 5 API calls __EH_prolog 76586->76842 76588 61a97 _CxxThrowException 76589 61aa5 __EH_prolog 76588->76589 76843 41e40 free 76589->76843 76591 61ac8 76844 602e8 free ctype 76591->76844 76593 61ad1 76845 61eab free __EH_prolog ctype 76593->76845 76595 61add 76846 41e40 free 76595->76846 76597 61ae5 76847 41e40 free 76597->76847 76599 61aed 76848 72db9 free ctype 76599->76848 76601 61afa 76601->76386 76602->76388 76604 7c7ea 76603->76604 76605 7c849 76603->76605 76606 7c7fe fputs 76604->76606 76976 425cb malloc _CxxThrowException free _CxxThrowException ctype 76604->76976 76607 7c85a 76605->76607 76977 41f91 fflush 76605->76977 76606->76605 76607->76389 76612 75805 __EH_prolog 76611->76612 76613 75847 76612->76613 76978 426dd 76612->76978 76613->76391 76619 7583f 76998 41e40 free 76619->76998 76622 7c748 __EH_prolog 76621->76622 76623 7c7d7 ctype 6 API calls 76622->76623 76624 7c75d 76623->76624 77037 41e40 free 76624->77037 76626 7c768 76627 62c0b ctype free 76626->76627 76628 7c775 76627->76628 77038 41e40 free 76628->77038 76630 7c77d 77039 41e40 free 76630->77039 76632 7c785 77040 41e40 free 76632->77040 76634 7c78d 77041 41e40 free 76634->77041 76636 7c795 76637 62c0b ctype free 76636->76637 76638 7a51d 76637->76638 76638->76395 76638->76398 77042 7ad29 76639->77042 76642 7bf3e 76643 42fec 3 API calls 76642->76643 76644 7bf85 76643->76644 76645 42fec 3 API calls 76644->76645 76646 7a5ee 76645->76646 76647 53a29 76646->76647 76648 53a3b 76647->76648 76652 53a37 76647->76652 77048 53bd9 free ctype 76648->77048 76650 53a42 76651 53a6f 76650->76651 76653 53a67 76650->76653 76654 53a52 _CxxThrowException 76650->76654 76651->76652 77050 53b76 malloc _CxxThrowException __EH_prolog ctype 76651->77050 76652->76427 77049 80551 malloc _CxxThrowException free memcpy ctype 76653->77049 76654->76653 76658 6434f __EH_prolog 76657->76658 76659 42e04 2 API calls 76658->76659 76660 6436d 76659->76660 76661 42e04 2 API calls 76660->76661 76662 64379 76661->76662 76662->76433 76758 6375c 22 API calls 2 library calls 76662->76758 76757->76402 76798->76397 76799->76401 76800->76403 76801->76409 76802->76411 76804 6324e 76803->76804 76805 63260 76804->76805 77760 41e40 free 76804->77760 77759 41e40 free 76805->77759 76808 63267 76809 41e40 free 76808->76809 76809->76418 76810->76422 76811->76426 76812->76431 76813->76538 76815 60224 __EH_prolog 76814->76815 76849 53d66 76815->76849 76818 6062e 76819 60638 __EH_prolog 76818->76819 76820 606de 76819->76820 76824 606ee 76819->76824 76825 601bc malloc _CxxThrowException free _CxxThrowException memcpy 76819->76825 76865 60703 76819->76865 76935 72db9 free ctype 76819->76935 76936 6019a malloc _CxxThrowException free memcpy 76820->76936 76822 606e6 76937 61453 26 API calls 2 library calls 76822->76937 76824->76546 76824->76561 76825->76819 76828->76549 76829->76554 76830->76561 76831->76561 76832->76561 76833->76552 76834->76557 76835->76574 76836->76574 76837->76564 76838->76584 76839->76580 76840->76582 76841->76554 76842->76588 76843->76591 76844->76593 76845->76595 76846->76597 76847->76599 76848->76601 76860 dfb10 76849->76860 76851 53d70 GetCurrentProcess 76861 53e04 76851->76861 76853 53d8d OpenProcessToken 76854 53de3 76853->76854 76855 53d9e LookupPrivilegeValueW 76853->76855 76857 53e04 CloseHandle 76854->76857 76855->76854 76856 53dc0 AdjustTokenPrivileges 76855->76856 76856->76854 76858 53dd5 GetLastError 76856->76858 76859 53def 76857->76859 76858->76854 76859->76818 76860->76851 76862 53e11 CloseHandle 76861->76862 76863 53e0d 76861->76863 76864 53e21 76862->76864 76863->76853 76864->76853 76911 6070d __EH_prolog 76865->76911 76866 60e1d 76973 60416 18 API calls 2 library calls 76866->76973 76868 60ea6 76975 8ec78 free ctype 76868->76975 76869 60d11 76967 47496 7 API calls 2 library calls 76869->76967 76872 60c13 76964 41e40 free 76872->76964 76873 60c83 76873->76866 76873->76869 76875 42da9 2 API calls 76875->76911 76877 60de0 76969 72db9 free ctype 76877->76969 76878 42da9 2 API calls 76908 60ab5 76878->76908 76879 60e47 76879->76868 76974 6117d 68 API calls 2 library calls 76879->76974 76880 60b40 76880->76819 76881 42f1c 2 API calls 76909 60d29 76881->76909 76883 60df8 76971 41e40 free 76883->76971 76884 42e04 2 API calls 76884->76911 76886 42e04 2 API calls 76886->76908 76890 60e02 76972 72db9 free ctype 76890->76972 76891 42e04 2 API calls 76891->76909 76895 42fec 3 API calls 76895->76911 76897 42fec 3 API calls 76897->76909 76898 42fec 3 API calls 76898->76908 76902 6050b 44 API calls 76902->76908 76904 60df3 76970 41e40 free 76904->76970 76906 41e40 free ctype 76906->76909 76908->76872 76908->76878 76908->76886 76908->76898 76908->76902 76912 60c79 76908->76912 76919 41e40 free ctype 76908->76919 76955 42f4a malloc _CxxThrowException free ctype 76908->76955 76960 41089 malloc _CxxThrowException free _CxxThrowException 76908->76960 76961 613eb 5 API calls 2 library calls 76908->76961 76962 60ef4 68 API calls 2 library calls 76908->76962 76963 72db9 free ctype 76908->76963 76965 60021 GetLastError 76908->76965 76909->76877 76909->76881 76909->76883 76909->76891 76909->76897 76909->76904 76909->76906 76968 6117d 68 API calls 2 library calls 76909->76968 76911->76873 76911->76875 76911->76880 76911->76884 76911->76895 76911->76908 76927 60b48 76911->76927 76928 804d2 malloc _CxxThrowException free _CxxThrowException memcpy 76911->76928 76930 60b26 76911->76930 76931 41524 malloc _CxxThrowException 76911->76931 76932 41e40 free ctype 76911->76932 76934 72db9 free ctype 76911->76934 76938 42f4a malloc _CxxThrowException free ctype 76911->76938 76939 41089 malloc _CxxThrowException free _CxxThrowException 76911->76939 76940 613eb 5 API calls 2 library calls 76911->76940 76941 6050b 76911->76941 76946 60021 GetLastError 76911->76946 76947 449bd 9 API calls 2 library calls 76911->76947 76948 60306 12 API calls 76911->76948 76949 5ff00 5 API calls 2 library calls 76911->76949 76950 6057d 16 API calls 2 library calls 76911->76950 76951 60f8e 24 API calls 2 library calls 76911->76951 76952 4472e CharUpperW 76911->76952 76953 58984 malloc _CxxThrowException free _CxxThrowException memcpy 76911->76953 76954 60ef4 68 API calls 2 library calls 76911->76954 76966 41e40 free 76912->76966 76913 60b30 76957 41e40 free 76913->76957 76917 60b38 76958 41e40 free 76917->76958 76919->76908 76959 72db9 free ctype 76927->76959 76928->76911 76956 41e40 free 76930->76956 76931->76911 76932->76911 76934->76911 76935->76819 76936->76822 76937->76824 76938->76911 76939->76911 76940->76911 76942 46c72 44 API calls 76941->76942 76945 6051e 76942->76945 76943 60575 76943->76911 76944 42f88 3 API calls 76944->76943 76945->76943 76945->76944 76946->76911 76947->76911 76948->76911 76949->76911 76950->76911 76951->76911 76952->76911 76953->76911 76954->76911 76955->76908 76956->76913 76957->76917 76958->76880 76959->76930 76960->76908 76961->76908 76962->76908 76963->76908 76964->76880 76965->76908 76966->76873 76967->76909 76968->76909 76969->76880 76970->76883 76971->76890 76972->76880 76973->76879 76974->76879 76975->76880 76976->76606 76977->76607 76979 41e0c ctype 2 API calls 76978->76979 76980 426ea 76979->76980 76981 75678 76980->76981 76982 756b1 76981->76982 76983 75689 76981->76983 76999 75593 76982->76999 76984 75593 6 API calls 76983->76984 76986 756a5 76984->76986 77013 428a1 76986->77013 76991 7570e fputs 76997 41fa0 fputc 76991->76997 76993 756ef 76994 75593 6 API calls 76993->76994 76995 75701 76994->76995 76996 75711 6 API calls 76995->76996 76996->76991 76997->76619 76998->76613 77000 755ad 76999->77000 77001 428a1 5 API calls 77000->77001 77002 755b8 77001->77002 77018 4286d 77002->77018 77005 428a1 5 API calls 77006 755c7 77005->77006 77007 75711 77006->77007 77008 75721 77007->77008 77009 756e0 77007->77009 77010 428a1 5 API calls 77008->77010 77009->76991 77017 42881 malloc _CxxThrowException free memcpy _CxxThrowException 77009->77017 77011 7572b 77010->77011 77026 755cd 6 API calls 77011->77026 77014 428b0 77013->77014 77027 4267f 77014->77027 77016 428bf 77016->76982 77017->76993 77021 41e9d 77018->77021 77022 41ead 77021->77022 77023 41ea8 77021->77023 77022->77005 77025 4263c malloc _CxxThrowException free memcpy _CxxThrowException 77023->77025 77025->77022 77026->77009 77028 426c2 77027->77028 77029 42693 77027->77029 77028->77016 77030 426c8 _CxxThrowException 77029->77030 77032 426bc 77029->77032 77031 426dd 77030->77031 77033 41e0c ctype 2 API calls 77031->77033 77036 42595 malloc _CxxThrowException free memcpy ctype 77032->77036 77035 426ea 77033->77035 77035->77016 77036->77028 77037->76626 77038->76630 77039->76632 77040->76634 77041->76636 77043 7ad33 __EH_prolog 77042->77043 77044 42e04 2 API calls 77043->77044 77045 7ad5f 77044->77045 77046 42e04 2 API calls 77045->77046 77047 7a5d8 77046->77047 77047->76642 77048->76650 77049->76651 77050->76651 77759->76808 77760->76804 77761 51368 77765 5136d 77761->77765 77763 5138c 77765->77763 77767 d7d80 WaitForSingleObject 77765->77767 77770 7f745 77765->77770 77774 d7ea0 SetEvent GetLastError 77765->77774 77768 d7d8e GetLastError 77767->77768 77769 d7d98 77767->77769 77768->77769 77769->77765 77771 7f74f __EH_prolog 77770->77771 77775 7f784 77771->77775 77773 7f765 77773->77765 77774->77765 77776 7f78e __EH_prolog 77775->77776 77777 512d4 4 API calls 77776->77777 77778 7f7c7 77777->77778 77779 512d4 4 API calls 77778->77779 77781 7f7d4 77779->77781 77780 7f871 77780->77773 77781->77780 77784 c6b23 VirtualAlloc 77781->77784 77785 4c4d6 77781->77785 77784->77780 77789 4c4e9 77785->77789 77786 4c6f3 77786->77780 77787 5111c 10 API calls 77787->77789 77788 511b4 107 API calls 77788->77789 77789->77786 77789->77787 77789->77788 77790 4c695 memmove 77789->77790 77790->77789 77791 d7da0 WaitForSingleObject 77792 d7dbb GetLastError 77791->77792 77793 d7dc1 77791->77793 77792->77793 77794 d7dce CloseHandle 77793->77794 77796 d7ddf 77793->77796 77795 d7dd9 GetLastError 77794->77795 77794->77796 77795->77796 77797 8bf67 77798 8bf74 77797->77798 77799 8bf85 77797->77799 77798->77799 77803 8bf8c 77798->77803 77804 8bf96 __EH_prolog 77803->77804 77820 8d144 77804->77820 77808 8bfd0 77827 41e40 free 77808->77827 77810 8bfdb 77828 41e40 free 77810->77828 77812 8bfe6 77829 8c072 free ctype 77812->77829 77814 8bff4 77830 5aafa free VariantClear ctype 77814->77830 77816 8c023 77831 673d2 free VariantClear __EH_prolog ctype 77816->77831 77818 8bf7f 77819 41e40 free 77818->77819 77819->77799 77823 8d14e __EH_prolog 77820->77823 77821 8d1b7 free 77822 8d180 77821->77822 77832 88e04 memset 77822->77832 77823->77821 77825 8bfc5 77826 41e40 free 77825->77826 77826->77808 77827->77810 77828->77812 77829->77814 77830->77816 77831->77818 77832->77825 77833 c6ba3 VirtualFree 77834 7adb7 77835 7adc1 __EH_prolog 77834->77835 77836 426dd 2 API calls 77835->77836 77837 7ae1d 77836->77837 77838 42e04 2 API calls 77837->77838 77839 7ae38 77838->77839 77840 42e04 2 API calls 77839->77840 77841 7ae44 77840->77841 77842 42e04 2 API calls 77841->77842 77843 7ae68 77842->77843 77844 7ad29 2 API calls 77843->77844 77845 7ae85 77844->77845 77850 7af2d 77845->77850 77847 7ae94 77848 42e04 2 API calls 77847->77848 77849 7aeb2 77848->77849 77851 7af37 __EH_prolog 77850->77851 77862 534f4 malloc _CxxThrowException __EH_prolog 77851->77862 77853 7afac 77854 42e04 2 API calls 77853->77854 77855 7afbb 77854->77855 77856 42e04 2 API calls 77855->77856 77857 7afca 77856->77857 77858 42e04 2 API calls 77857->77858 77859 7afd9 77858->77859 77860 42e04 2 API calls 77859->77860 77861 7afe8 77860->77861 77861->77847 77862->77853 77863 75475 77864 42fec 3 API calls 77863->77864 77865 754b4 77864->77865 77866 7c911 24 API calls 77865->77866 77867 754bb 77866->77867 77868 88eb1 77873 88ed1 77868->77873 77870 88ec9 77874 88edb __EH_prolog 77873->77874 77882 89267 77874->77882 77878 88efd 77887 7e5f1 free ctype 77878->77887 77880 88eb9 77880->77870 77881 41e40 free 77880->77881 77881->77870 77883 89271 __EH_prolog 77882->77883 77888 41e40 free 77883->77888 77885 88ef1 77886 8922b free CloseHandle GetLastError ctype 77885->77886 77886->77878 77887->77880 77888->77885 77889 4c3bd 77890 4c3db 77889->77890 77891 4c3ca 77889->77891 77891->77890 77893 41e40 free 77891->77893 77893->77890 77894 7993d 77978 7b5b1 77894->77978 77897 79963 77984 51f33 77897->77984 77898 41fb3 11 API calls 77898->77897 77900 79975 77901 799b7 GetStdHandle GetConsoleScreenBufferInfo 77900->77901 77902 799ce 77900->77902 77901->77902 77903 41e0c ctype 2 API calls 77902->77903 77904 799dc 77903->77904 78105 67b48 77904->78105 77906 79a29 78122 7b96d _CxxThrowException 77906->78122 77908 79a30 78123 67018 8 API calls 2 library calls 77908->78123 77910 79a7c 78124 6ddb5 6 API calls 2 library calls 77910->78124 77912 79a66 _CxxThrowException 77912->77910 77913 79aa6 77915 79aaa _CxxThrowException 77913->77915 77924 79ac0 77913->77924 77914 79a37 77914->77910 77914->77912 77915->77924 77916 79b3a 78128 41fa0 fputc 77916->78128 77919 79bfa _CxxThrowException 77952 79be6 77919->77952 77920 79b63 fputs 78129 41fa0 fputc 77920->78129 77923 79b79 strlen strlen 77926 79e25 77923->77926 77927 79baa fputs fputc 77923->77927 77924->77916 77924->77919 78125 67dd7 7 API calls 2 library calls 77924->78125 78126 7c077 6 API calls 77924->78126 78127 41e40 free 77924->78127 78137 41fa0 fputc 77926->78137 77927->77952 77929 79e2c fputs 78138 41fa0 fputc 77929->78138 77931 79f0c 78143 41fa0 fputc 77931->78143 77935 7b67d 12 API calls 77935->77952 77936 79f13 fputs 78144 41fa0 fputc 77936->78144 77939 42e04 2 API calls 77939->77952 77940 7ac3a 78150 7b96d _CxxThrowException 77940->78150 77942 7ac35 78149 7b988 33 API calls __aulldiv 77942->78149 77945 7ac42 78151 41e40 free 77945->78151 77948 7ac4d 77951 63247 free 77948->77951 77950 431e5 malloc _CxxThrowException free _CxxThrowException 77950->77952 77954 7ac5d 77951->77954 77952->77926 77952->77927 77952->77935 77952->77939 77952->77950 77958 79d2a fputs 77952->77958 77962 79d5f fputs 77952->77962 78130 421d8 fputs 77952->78130 78131 4315e malloc _CxxThrowException free _CxxThrowException 77952->78131 78132 43221 malloc _CxxThrowException free _CxxThrowException 77952->78132 78133 41089 malloc _CxxThrowException free _CxxThrowException 77952->78133 78135 41fa0 fputc 77952->78135 78136 41e40 free 77952->78136 77953 79e42 77953->77931 77971 79ee0 fputs 77953->77971 78139 7b650 fputc fputs fputs fputc 77953->78139 78140 421d8 fputs 77953->78140 78141 7bde4 fputc fputs 77953->78141 78152 41e40 free 77954->78152 77955 79f29 77966 79f77 fputs 77955->77966 77975 79f9f 77955->77975 78145 7b650 fputc fputs fputs fputc 77955->78145 78146 7b5e9 fputc fputs 77955->78146 78147 7bde4 fputc fputs 77955->78147 78134 421d8 fputs 77958->78134 77962->77952 77964 7ac7d 78153 411c2 free __EH_prolog ctype 77964->78153 78148 41fa0 fputc 77966->78148 78142 41fa0 fputc 77971->78142 77975->77940 77975->77942 77979 7994a 77978->77979 77980 7b5bc fputs 77978->77980 77979->77897 77979->77898 78156 41fa0 fputc 77980->78156 77982 7b5d5 77982->77979 77983 7b5d9 fputs 77982->77983 77983->77979 77985 51f6c 77984->77985 77986 51f4f 77984->77986 78157 529eb 77985->78157 78189 61d73 5 API calls __EH_prolog 77986->78189 77989 51f5e _CxxThrowException 77989->77985 77991 51fa3 77993 51fbc 77991->77993 77995 44fc0 5 API calls 77991->77995 77996 51fda 77993->77996 77997 42fec 3 API calls 77993->77997 77994 51f95 _CxxThrowException 77994->77991 77995->77993 77998 52022 wcscmp 77996->77998 78007 52036 77996->78007 77997->77996 77999 520af 77998->77999 77998->78007 78191 61d73 5 API calls __EH_prolog 77999->78191 78001 520a9 78192 5393c 6 API calls 2 library calls 78001->78192 78002 520be _CxxThrowException 78002->78007 78004 520f4 78193 5393c 6 API calls 2 library calls 78004->78193 78006 52108 78008 52135 78006->78008 78194 52e04 62 API calls 2 library calls 78006->78194 78007->78001 78010 5219a 78007->78010 78014 52159 78008->78014 78195 52e04 62 API calls 2 library calls 78008->78195 78196 61d73 5 API calls __EH_prolog 78010->78196 78013 521a9 _CxxThrowException 78013->78014 78015 5227f 78014->78015 78017 52245 78014->78017 78197 61d73 5 API calls __EH_prolog 78014->78197 78162 52aa9 78015->78162 78020 42fec 3 API calls 78017->78020 78021 5225c 78020->78021 78021->78015 78198 61d73 5 API calls __EH_prolog 78021->78198 78022 522d9 78025 52302 78022->78025 78027 42fec 3 API calls 78022->78027 78023 52237 _CxxThrowException 78023->78017 78024 42fec 3 API calls 78024->78022 78028 44fc0 5 API calls 78025->78028 78027->78025 78030 52315 78028->78030 78029 52271 _CxxThrowException 78029->78015 78180 5384c 78030->78180 78032 52322 78034 526c6 78032->78034 78045 523a1 78032->78045 78033 528ce 78036 5293a 78033->78036 78050 528d5 78033->78050 78034->78033 78035 52700 78034->78035 78211 61d73 5 API calls __EH_prolog 78034->78211 78212 532ec 14 API calls 2 library calls 78035->78212 78039 529a5 78036->78039 78040 5293f 78036->78040 78042 529ae _CxxThrowException 78039->78042 78100 5264d 78039->78100 78219 44eec 16 API calls 78040->78219 78041 526f2 _CxxThrowException 78041->78035 78043 52713 78046 53a29 5 API calls 78043->78046 78048 5247a wcscmp 78045->78048 78057 5248e 78045->78057 78061 52722 78046->78061 78047 5294c 78220 44ea1 8 API calls 78047->78220 78052 524cf wcscmp 78048->78052 78048->78057 78050->78100 78218 61d73 5 API calls __EH_prolog 78050->78218 78055 524ef wcscmp 78052->78055 78052->78057 78055->78057 78059 5250f 78055->78059 78056 52953 78060 44fc0 5 API calls 78056->78060 78065 5252c 78057->78065 78199 44eec 16 API calls 78057->78199 78200 44ea1 8 API calls 78057->78200 78201 61d73 5 API calls __EH_prolog 78057->78201 78058 52920 _CxxThrowException 78058->78100 78202 61d73 5 API calls __EH_prolog 78059->78202 78060->78100 78064 42fec 3 API calls 78061->78064 78067 527cf 78061->78067 78063 5251e _CxxThrowException 78063->78065 78068 527a9 78064->78068 78072 52569 78065->78072 78203 52e04 62 API calls 2 library calls 78065->78203 78066 52880 78071 5289b 78066->78071 78075 42fec 3 API calls 78066->78075 78067->78066 78070 5281f 78067->78070 78214 61d73 5 API calls __EH_prolog 78067->78214 78068->78067 78213 43563 memmove 78068->78213 78070->78066 78081 52847 78070->78081 78215 61d73 5 API calls __EH_prolog 78070->78215 78071->78100 78217 61d73 5 API calls __EH_prolog 78071->78217 78074 5258c 78072->78074 78204 52e04 62 API calls 2 library calls 78072->78204 78079 525a4 78074->78079 78205 52a61 malloc _CxxThrowException free _CxxThrowException memcpy 78074->78205 78075->78071 78076 524c1 _CxxThrowException 78076->78052 78206 44eec 16 API calls 78079->78206 78080 52811 _CxxThrowException 78080->78070 78081->78066 78216 61d73 5 API calls __EH_prolog 78081->78216 78088 525ad 78207 61b07 49 API calls 78088->78207 78089 528c0 _CxxThrowException 78089->78033 78090 52839 _CxxThrowException 78090->78081 78091 52872 _CxxThrowException 78091->78066 78093 525b4 78208 44ea1 8 API calls 78093->78208 78095 525bb 78096 42fec 3 API calls 78095->78096 78098 525d6 78095->78098 78096->78098 78097 5261f 78097->78100 78101 42fec 3 API calls 78097->78101 78098->78097 78098->78100 78209 61d73 5 API calls __EH_prolog 78098->78209 78100->77900 78103 5263f 78101->78103 78102 52611 _CxxThrowException 78102->78097 78210 4859e malloc _CxxThrowException free _CxxThrowException 78103->78210 78106 67b52 __EH_prolog 78105->78106 78230 67eec 78106->78230 78109 67ca4 78109->77906 78110 42e04 malloc _CxxThrowException 78113 67b63 78110->78113 78111 430ea malloc _CxxThrowException free 78111->78113 78113->78109 78113->78110 78113->78111 78114 41e40 free ctype 78113->78114 78116 512a5 5 API calls 78113->78116 78117 804d2 5 API calls 78113->78117 78118 4429a 3 API calls 78113->78118 78120 67c61 memcpy 78113->78120 78121 67193 free 78113->78121 78235 670ea 78113->78235 78238 67a40 78113->78238 78256 67cc3 6 API calls 78113->78256 78257 674eb malloc _CxxThrowException memcpy __EH_prolog ctype 78113->78257 78114->78113 78116->78113 78117->78113 78118->78113 78120->78113 78121->78113 78122->77908 78123->77914 78124->77913 78125->77924 78126->77924 78127->77924 78128->77920 78129->77923 78130->77952 78131->77952 78132->77952 78133->77952 78134->77952 78135->77952 78136->77952 78137->77929 78138->77953 78139->77953 78140->77953 78141->77953 78142->77953 78143->77936 78144->77955 78145->77955 78146->77955 78147->77955 78148->77955 78149->77940 78150->77945 78151->77948 78152->77964 78156->77982 78158 42f1c 2 API calls 78157->78158 78160 529fe 78158->78160 78221 41e40 free 78160->78221 78161 51f7e 78161->77991 78190 61d73 5 API calls __EH_prolog 78161->78190 78163 52ab3 __EH_prolog 78162->78163 78164 42e8a 2 API calls 78163->78164 78175 52b0f 78163->78175 78166 52af4 78164->78166 78165 522ad 78165->78022 78165->78024 78222 52a61 malloc _CxxThrowException free _CxxThrowException memcpy 78166->78222 78168 52b04 78223 41e40 free 78168->78223 78169 52bc6 78228 61d73 5 API calls __EH_prolog 78169->78228 78172 52bd6 _CxxThrowException 78172->78165 78175->78165 78175->78169 78177 52b9f 78175->78177 78224 52cb4 48 API calls 2 library calls 78175->78224 78225 52bf5 8 API calls __EH_prolog 78175->78225 78226 52a61 malloc _CxxThrowException free _CxxThrowException memcpy 78175->78226 78177->78165 78227 61d73 5 API calls __EH_prolog 78177->78227 78179 52bb8 _CxxThrowException 78179->78169 78182 53856 __EH_prolog 78180->78182 78181 42e04 malloc _CxxThrowException 78181->78182 78182->78181 78183 42fec 3 API calls 78182->78183 78184 42f88 3 API calls 78182->78184 78185 804d2 5 API calls 78182->78185 78187 41e40 free ctype 78182->78187 78188 53917 78182->78188 78229 53b76 malloc _CxxThrowException __EH_prolog ctype 78182->78229 78183->78182 78184->78182 78185->78182 78187->78182 78188->78032 78189->77989 78190->77994 78191->78002 78192->78004 78193->78006 78194->78008 78195->78014 78196->78013 78197->78023 78198->78029 78199->78057 78200->78057 78201->78076 78202->78063 78203->78072 78204->78074 78205->78079 78206->78088 78207->78093 78208->78095 78209->78102 78210->78100 78211->78041 78212->78043 78213->78067 78214->78080 78215->78090 78216->78091 78217->78089 78218->78058 78219->78047 78220->78056 78221->78161 78222->78168 78223->78175 78224->78175 78225->78175 78226->78175 78227->78179 78228->78172 78229->78182 78231 67f14 78230->78231 78233 67ef7 78230->78233 78231->78113 78232 67193 free 78232->78233 78233->78231 78233->78232 78258 41e40 free 78233->78258 78236 42e04 2 API calls 78235->78236 78237 67103 78236->78237 78237->78113 78239 67a4a __EH_prolog 78238->78239 78259 4361b 6 API calls 2 library calls 78239->78259 78241 67a78 78260 4361b 6 API calls 2 library calls 78241->78260 78243 67b20 78262 72db9 free ctype 78243->78262 78245 67b2b 78263 72db9 free ctype 78245->78263 78247 42e04 malloc _CxxThrowException 78253 67a83 78247->78253 78248 67b37 78248->78113 78249 42fec 3 API calls 78249->78253 78250 804d2 5 API calls 78250->78253 78251 42fec 3 API calls 78252 67aca wcscmp 78251->78252 78252->78253 78253->78243 78253->78247 78253->78249 78253->78250 78253->78251 78255 41e40 free ctype 78253->78255 78261 67955 malloc _CxxThrowException __EH_prolog ctype 78253->78261 78255->78253 78256->78113 78257->78113 78258->78233 78259->78241 78260->78253 78261->78253 78262->78245 78263->78248 78267 dffb1 __setusermatherr 78268 dffbd 78267->78268 78272 e0068 _controlfp 78268->78272 78270 dffc2 _initterm __getmainargs _initterm __p___initenv 78271 7c27c 78270->78271 78272->78270 78273 c69f0 free 78274 6cefb 78275 6cf03 78274->78275 78304 6d0cc 78274->78304 78275->78304 78321 6cae9 VariantClear 78275->78321 78277 6cf59 78277->78304 78322 6cae9 VariantClear 78277->78322 78279 6cf71 78279->78304 78323 6cae9 VariantClear 78279->78323 78281 6cf87 78281->78304 78324 6cae9 VariantClear 78281->78324 78283 6cf9d 78283->78304 78325 6cae9 VariantClear 78283->78325 78285 6cfb3 78285->78304 78326 6cae9 VariantClear 78285->78326 78287 6cfc9 78287->78304 78327 44504 malloc _CxxThrowException 78287->78327 78289 6cfdc 78290 42e04 2 API calls 78289->78290 78292 6cfe7 78290->78292 78291 6d009 78294 6d07b 78291->78294 78296 6d080 78291->78296 78297 6d030 78291->78297 78292->78291 78293 42f88 3 API calls 78292->78293 78293->78291 78335 41e40 free 78294->78335 78332 67a0c CharUpperW 78296->78332 78300 42e04 2 API calls 78297->78300 78298 6d0c4 78336 41e40 free 78298->78336 78303 6d038 78300->78303 78302 6d08b 78333 5fdbc 4 API calls 2 library calls 78302->78333 78305 42e04 2 API calls 78303->78305 78307 6d046 78305->78307 78328 5fdbc 4 API calls 2 library calls 78307->78328 78308 6d0a7 78310 42fec 3 API calls 78308->78310 78312 6d0b3 78310->78312 78311 6d057 78313 42fec 3 API calls 78311->78313 78334 41e40 free 78312->78334 78315 6d063 78313->78315 78329 41e40 free 78315->78329 78317 6d06b 78330 41e40 free 78317->78330 78319 6d073 78331 41e40 free 78319->78331 78321->78277 78322->78279 78323->78281 78324->78283 78325->78285 78326->78287 78327->78289 78328->78311 78329->78317 78330->78319 78331->78294 78332->78302 78333->78308 78334->78294 78335->78298 78336->78304

                                  Executed Functions

                                  Function 00049313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1028 49313-49338 GetCurrentProcess OpenProcessToken 1029 49390 1028->1029 1030 4933a-4934a LookupPrivilegeValueW 1028->1030 1031 49393-49398 1029->1031 1032 49382 1030->1032 1033 4934c-49370 AdjustTokenPrivileges 1030->1033 1035 49385-4938e CloseHandle 1032->1035 1033->1032 1034 49372-49380 GetLastError 1033->1034 1034->1035 1035->1031
                                  APIs
                                  • GetCurrentProcess.KERNEL32(00000020,00051EC5,?,7597AB50,?,?,?,?,00051EC5,00051CEF), ref: 00049329
                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00051EC5,00051CEF), ref: 00049330
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00049342
                                  • AdjustTokenPrivileges.KERNELBASE(00051EC5,00000000,?,00000000,00000000,00000000), ref: 00049368
                                  • GetLastError.KERNEL32 ref: 00049372
                                  • CloseHandle.KERNELBASE(00051EC5,?,?,?,?,00051EC5,00051CEF), ref: 00049388
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeRestorePrivilege
                                  • API String ID: 3398352648-1684392131
                                  • Opcode ID: dc05cc0e27bc0485c54043bacbf06a4375e7333dc0ffcea4156a7b37abdaf866
                                  • Instruction ID: a9afddf51fc8e75036877fe4d8f45ae18b42205240dcff231e94351f6a3ec66d
                                  • Opcode Fuzzy Hash: dc05cc0e27bc0485c54043bacbf06a4375e7333dc0ffcea4156a7b37abdaf866
                                  • Instruction Fuzzy Hash: E5018BB2945258ABEB209FF19C89BDF7FACAF02741F040164F442E2190D6798609C7A0
                                  Function 00053D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1036 53d66-53d9c call dfb10 GetCurrentProcess call 53e04 OpenProcessToken 1041 53de3-53dfe call 53e04 1036->1041 1042 53d9e-53dbe LookupPrivilegeValueW 1036->1042 1042->1041 1043 53dc0-53dd3 AdjustTokenPrivileges 1042->1043 1043->1041 1045 53dd5-53de1 GetLastError 1043->1045 1045->1041
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00053D6B
                                  • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053D7D
                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053D94
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00053DB6
                                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053DCB
                                  • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053DD5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                                  • String ID: SeSecurityPrivilege
                                  • API String ID: 3475889169-2333288578
                                  • Opcode ID: accc01205d671d8fc85e020feca2e22305243177d93418f28d067ca8c9c8d1d6
                                  • Instruction ID: e19cfd7d4158ce1300b20ec060a015a46ae986806e7ef6d827e725f441e97ecf
                                  • Opcode Fuzzy Hash: accc01205d671d8fc85e020feca2e22305243177d93418f28d067ca8c9c8d1d6
                                  • Instruction Fuzzy Hash: D01170B19412199FEB10DFE0DCC9AFEBBBCFB04785F000529E812F6191D7758A098A70
                                  Function 000881EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 000881F1
                                    • Part of subcall function 0008F749: _CxxThrowException.MSVCRT(?,000F4A58), ref: 0008F792
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionH_prologThrow
                                  • String ID:
                                  • API String ID: 461045715-3916222277
                                  • Opcode ID: 8144071b6e04d2d4db493d471c3c4b2be4aa5099dfa340f5da2866fd1dcc55b3
                                  • Instruction ID: 6d2827664948e99f8603dbcd2885afb86f54a7bbe8b4f50fba1d70d71e2767c8
                                  • Opcode Fuzzy Hash: 8144071b6e04d2d4db493d471c3c4b2be4aa5099dfa340f5da2866fd1dcc55b3
                                  • Instruction Fuzzy Hash: A7928F70900259DFDF15EFA8C844BEEBBF1BF18304F648099E885AB292CB759D45CB61
                                  Function 00046868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0004686D
                                    • Part of subcall function 00046848: FindClose.KERNELBASE(00000000,?,00046880), ref: 00046853
                                  • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 000468A5
                                  • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 000468DE
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: Find$FileFirst$CloseH_prolog
                                  • String ID:
                                  • API String ID: 3371352514-0
                                  • Opcode ID: 8968c880139792b077b0f187f03acc46355b609966672b9028717943ee892d50
                                  • Instruction ID: b0638052070abbdf496914ba9a8c3ec663d55afdd1a5003c2b28ae853eec0050
                                  • Opcode Fuzzy Hash: 8968c880139792b077b0f187f03acc46355b609966672b9028717943ee892d50
                                  • Instruction Fuzzy Hash: 9B11D0B15002099BDF10EFA4C8519EDB7B9EF12320F10477DE9A197192EB728E86DB45
                                  Function 0007A013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 7a013-7a01a 1 7a020-7a02d call 51ac8 0->1 2 7a37a-7a544 call 804d2 call 41524 call 804d2 call 41524 call 41e0c 0->2 7 7a033-7a03a 1->7 8 7a22e-7a235 1->8 64 7a546-7a54f call 7b0fa 2->64 65 7a551 2->65 10 7a054-7a089 call 792d3 7->10 11 7a03c-7a042 7->11 13 7a367-7a375 call 7b55f 8->13 14 7a23b-7a24d call 7b4f6 8->14 26 7a08b-7a091 10->26 27 7a099 10->27 11->10 15 7a044-7a04f call 430ea 11->15 28 7ac23-7ac2a 13->28 29 7a24f-7a253 14->29 30 7a259-7a2fb call 67ebb call 427bb call 426dd call 63d70 call 7ad99 call 427bb 14->30 15->10 26->27 33 7a093-7a097 26->33 34 7a09d-7a0de call 42fec call 7b369 27->34 35 7ac2c-7ac33 28->35 36 7ac3a-7ac66 call 7b96d call 41e40 call 63247 28->36 29->30 94 7a303-7a362 call 7b6ab call 72db9 call 41e40 * 2 call 7bff8 30->94 95 7a2fd 30->95 33->34 58 7a0e0-7a0e4 34->58 59 7a0ea-7a0fa 34->59 35->36 40 7ac35 35->40 68 7ac6e-7acb5 call 41e40 call 411c2 call 7be0c call 72db9 36->68 69 7ac68-7ac6a 36->69 45 7ac35 call 7b988 40->45 45->36 58->59 60 7a10d 59->60 61 7a0fc-7a102 59->61 67 7a114-7a19e call 42fec call 67ebb call 7ad99 60->67 61->60 66 7a104-7a10b 61->66 72 7a553-7a55c 64->72 65->72 66->67 103 7a1a2 call 6f8e0 67->103 69->68 77 7a564-7a5c1 call 42fec call 7b277 72->77 78 7a55e-7a560 72->78 96 7a5c3-7a5c7 77->96 97 7a5cd-7a652 call 7ad06 call 7bf3e call 53a29 call 42e04 call 64345 77->97 78->77 94->28 95->94 96->97 136 7a676-7a6c8 call 62096 97->136 137 7a654-7a671 call 6375c call 7b96d 97->137 107 7a1a7-7a1b1 103->107 111 7a1b3-7a1bb call 7c7d7 107->111 112 7a1c0-7a1c9 107->112 111->112 117 7a1d1-7a229 call 7b6ab call 72db9 call 41e40 call 7bfa4 call 7940b 112->117 118 7a1cb 112->118 117->28 118->117 143 7a6cd-7a6d6 136->143 137->136 146 7a6e2-7a6e5 143->146 147 7a6d8-7a6dd call 7c7d7 143->147 150 7a6e7-7a6ee 146->150 151 7a72e-7a73a 146->151 147->146 154 7a722-7a725 150->154 155 7a6f0-7a71d call 41fa0 fputs call 41fa0 call 41fb3 call 41fa0 150->155 152 7a79e-7a7aa 151->152 153 7a73c-7a74a call 41fa0 151->153 156 7a7ac-7a7b2 152->156 157 7a7d9-7a7e5 152->157 170 7a755-7a799 fputs call 42201 call 41fa0 fputs call 42201 call 41fa0 153->170 171 7a74c-7a753 153->171 154->151 158 7a727 154->158 155->154 156->157 161 7a7b4-7a7d4 fputs call 42201 call 41fa0 156->161 163 7a7e7-7a7ed 157->163 164 7a818-7a81a 157->164 158->151 161->157 168 7a899-7a8a5 163->168 172 7a7f3-7a813 fputs call 42201 call 41fa0 163->172 167 7a81c-7a82b 164->167 164->168 174 7a851-7a85d 167->174 175 7a82d-7a84c fputs call 42201 call 41fa0 167->175 179 7a8a7-7a8ad 168->179 180 7a8e9-7a8ed 168->180 170->152 171->152 171->170 172->164 174->168 185 7a85f-7a872 call 41fa0 174->185 175->174 181 7a8ef 179->181 182 7a8af-7a8c2 call 41fa0 179->182 180->181 186 7a8f6-7a8f8 180->186 181->186 182->181 207 7a8c4-7a8e4 fputs call 42201 call 41fa0 182->207 185->168 209 7a874-7a894 fputs call 42201 call 41fa0 185->209 194 7aaaf-7aaeb call 643b3 call 41e40 call 7c104 call 7ad82 186->194 195 7a8fe-7a90a 186->195 246 7aaf1-7aaf7 194->246 247 7ac0b-7ac1e call 72db9 * 2 194->247 204 7aa73-7aa89 call 41fa0 195->204 205 7a910-7a91f 195->205 204->194 220 7aa8b-7aaaa fputs call 42201 call 41fa0 204->220 205->204 211 7a925-7a929 205->211 207->180 209->168 211->194 217 7a92f-7a93d 211->217 223 7a93f-7a964 fputs call 42201 call 41fa0 217->223 224 7a96a-7a971 217->224 220->194 223->224 225 7a973-7a97a 224->225 226 7a98f-7a9a8 fputs call 42201 224->226 225->226 233 7a97c-7a982 225->233 241 7a9ad-7a9bd call 41fa0 226->241 233->226 239 7a984-7a98d 233->239 239->226 244 7aa06-7aa1f fputs call 42201 239->244 241->244 252 7a9bf-7aa01 fputs call 42201 call 41fa0 fputs call 42201 call 41fa0 241->252 251 7aa24-7aa29 call 41fa0 244->251 246->247 247->28 258 7aa2e-7aa4b fputs call 42201 251->258 252->244 263 7aa50-7aa5b call 41fa0 258->263 263->194 269 7aa5d-7aa71 call 41fa0 call 7710e 263->269 269->194
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$ExceptionThrow
                                  • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                                  • API String ID: 3665150552-429544124
                                  • Opcode ID: fbd8d649e6a0dfc53cae9b1dd9e684f3f185f4317557a91b4c8a8c5351fecb83
                                  • Instruction ID: 3f1397e32271cf85c9b1ab285a2b19423ddd9a17200caec7e067f556204f22c0
                                  • Opcode Fuzzy Hash: fbd8d649e6a0dfc53cae9b1dd9e684f3f185f4317557a91b4c8a8c5351fecb83
                                  • Instruction Fuzzy Hash: 9A528E70E04258DFCF25DBA4C845BEDBBB5AF85304F0080AAE54967292DB746E84CF19
                                  Function 0007A42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 274 7a42c-7a433 275 7a435-7a444 fputs call 41fa0 274->275 276 7a449-7a4df call 7545d call 42e04 call 61858 call 41e40 274->276 275->276 286 7a4e1-7a4e9 call 7c7d7 276->286 287 7a4ee-7a4f1 276->287 286->287 289 7a4f3-7a4fa 287->289 290 7a50e-7a520 call 7c73e 287->290 289->290 292 7a4fc-7a509 call 757fb 289->292 295 7a526-7a544 call 41e0c 290->295 296 7ac0b-7ac2a call 72db9 * 2 290->296 292->290 304 7a546-7a54f call 7b0fa 295->304 305 7a551 295->305 306 7ac2c-7ac33 296->306 307 7ac3a-7ac66 call 7b96d call 41e40 call 63247 296->307 309 7a553-7a55c 304->309 305->309 306->307 310 7ac35 call 7b988 306->310 327 7ac6e-7acb5 call 41e40 call 411c2 call 7be0c call 72db9 307->327 328 7ac68-7ac6a 307->328 313 7a564-7a5c1 call 42fec call 7b277 309->313 314 7a55e-7a560 309->314 310->307 325 7a5c3-7a5c7 313->325 326 7a5cd-7a652 call 7ad06 call 7bf3e call 53a29 call 42e04 call 64345 313->326 314->313 325->326 348 7a676-7a6d6 call 62096 326->348 349 7a654-7a671 call 6375c call 7b96d 326->349 328->327 355 7a6e2-7a6e5 348->355 356 7a6d8-7a6dd call 7c7d7 348->356 349->348 358 7a6e7-7a6ee 355->358 359 7a72e-7a73a 355->359 356->355 362 7a722-7a725 358->362 363 7a6f0-7a71d call 41fa0 fputs call 41fa0 call 41fb3 call 41fa0 358->363 360 7a79e-7a7aa 359->360 361 7a73c-7a74a call 41fa0 359->361 364 7a7ac-7a7b2 360->364 365 7a7d9-7a7e5 360->365 378 7a755-7a799 fputs call 42201 call 41fa0 fputs call 42201 call 41fa0 361->378 379 7a74c-7a753 361->379 362->359 366 7a727 362->366 363->362 364->365 369 7a7b4-7a7d4 fputs call 42201 call 41fa0 364->369 371 7a7e7-7a7ed 365->371 372 7a818-7a81a 365->372 366->359 369->365 376 7a899-7a8a5 371->376 380 7a7f3-7a813 fputs call 42201 call 41fa0 371->380 375 7a81c-7a82b 372->375 372->376 382 7a851-7a85d 375->382 383 7a82d-7a84c fputs call 42201 call 41fa0 375->383 387 7a8a7-7a8ad 376->387 388 7a8e9-7a8ed 376->388 378->360 379->360 379->378 380->372 382->376 393 7a85f-7a872 call 41fa0 382->393 383->382 389 7a8ef 387->389 390 7a8af-7a8c2 call 41fa0 387->390 388->389 394 7a8f6-7a8f8 388->394 389->394 390->389 415 7a8c4-7a8e4 fputs call 42201 call 41fa0 390->415 393->376 417 7a874-7a894 fputs call 42201 call 41fa0 393->417 402 7aaaf-7aaeb call 643b3 call 41e40 call 7c104 call 7ad82 394->402 403 7a8fe-7a90a 394->403 402->296 454 7aaf1-7aaf7 402->454 412 7aa73-7aa89 call 41fa0 403->412 413 7a910-7a91f 403->413 412->402 428 7aa8b-7aaaa fputs call 42201 call 41fa0 412->428 413->412 419 7a925-7a929 413->419 415->388 417->376 419->402 425 7a92f-7a93d 419->425 431 7a93f-7a964 fputs call 42201 call 41fa0 425->431 432 7a96a-7a971 425->432 428->402 431->432 433 7a973-7a97a 432->433 434 7a98f-7a9a8 fputs call 42201 432->434 433->434 441 7a97c-7a982 433->441 449 7a9ad-7a9bd call 41fa0 434->449 441->434 447 7a984-7a98d 441->447 447->434 452 7aa06-7aa4b fputs call 42201 call 41fa0 fputs call 42201 447->452 449->452 458 7a9bf-7aa01 fputs call 42201 call 41fa0 fputs call 42201 call 41fa0 449->458 467 7aa50-7aa5b call 41fa0 452->467 454->296 458->452 467->402 473 7aa5d-7aa71 call 41fa0 call 7710e 467->473 473->402
                                  APIs
                                  • fputs.MSVCRT(Scanning the drive for archives:), ref: 0007A43E
                                    • Part of subcall function 00041FA0: fputc.MSVCRT ref: 00041FA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputcfputs
                                  • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                                  • API String ID: 269475090-3104439828
                                  • Opcode ID: 9d1bf8e4d39abc9c0c4a5f147968840d24e074c7fc0d1aef080cd724706875e3
                                  • Instruction ID: 192774b2933aeb5e6c42a4fa392f193f8283b469d6dab250621f4367fa9c42e4
                                  • Opcode Fuzzy Hash: 9d1bf8e4d39abc9c0c4a5f147968840d24e074c7fc0d1aef080cd724706875e3
                                  • Instruction Fuzzy Hash: 00226F31E04258DFDF26DBA4C845BEDBBF1AF85300F1480AAE54967292DB746E84CF16
                                  Function 0007993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 478 7993d-79950 call 7b5b1 481 79963-7997e call 51f33 478->481 482 79952-7995e call 41fb3 478->482 486 79980-7998a 481->486 487 7998f-79998 481->487 482->481 486->487 488 7999a-799a6 487->488 489 799a8 487->489 488->489 490 799ab-799b5 488->490 489->490 491 799b7-799cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 799d5-79a04 call 41e0c call 7acb6 490->492 491->492 493 799ce-799d2 491->493 500 79a06-79a08 492->500 501 79a0c-79a24 call 67b48 492->501 493->492 500->501 503 79a29-79a48 call 7b96d call 67018 call 51aa4 501->503 510 79a7c-79aa8 call 6ddb5 503->510 511 79a4a-79a4c 503->511 518 79ac0-79ade 510->518 519 79aaa-79abb _CxxThrowException 510->519 513 79a66-79a77 _CxxThrowException 511->513 514 79a4e-79a55 511->514 513->510 514->513 515 79a57-79a64 call 51ac8 514->515 515->510 515->513 521 79ae0-79b04 call 67dd7 518->521 522 79b3a-79b55 518->522 519->518 529 79bfa-79c0b _CxxThrowException 521->529 530 79b0a-79b0e 521->530 525 79b57 522->525 526 79b5c-79ba4 call 41fa0 fputs call 41fa0 strlen * 2 522->526 525->526 541 79e25-79e4d call 41fa0 fputs call 41fa0 526->541 542 79baa-79be4 fputs fputc 526->542 533 79c10 529->533 530->529 532 79b14-79b38 call 7c077 call 41e40 530->532 532->521 532->522 536 79c12-79c25 533->536 544 79c27-79c33 536->544 545 79be6-79bf0 536->545 554 79e53 541->554 555 79f0c-79f34 call 41fa0 fputs call 41fa0 541->555 542->544 542->545 552 79c35-79c3d 544->552 553 79c81-79cb1 call 7b67d call 42e04 544->553 545->533 547 79bf2-79bf8 545->547 547->536 556 79c3f-79c4a 552->556 557 79c6b-79c80 call 421d8 552->557 592 79cb3-79cb7 553->592 593 79d10-79d28 call 7b67d 553->593 558 79e5a-79e6f call 7b650 554->558 579 7ac23-7ac2a 555->579 580 79f3a 555->580 560 79c54 556->560 561 79c4c-79c52 556->561 557->553 573 79e71-79e79 558->573 574 79e7b-79e7e call 421d8 558->574 566 79c56-79c69 560->566 561->566 566->556 566->557 583 79e83-79f06 call 7bde4 fputs call 41fa0 573->583 574->583 584 7ac2c-7ac33 579->584 585 7ac3a-7ac66 call 7b96d call 41e40 call 63247 579->585 586 79f41-79f9d call 7b650 call 7b5e9 call 7bde4 fputs call 41fa0 580->586 583->555 583->558 584->585 589 7ac35 call 7b988 584->589 617 7ac6e-7acb5 call 41e40 call 411c2 call 7be0c call 72db9 585->617 618 7ac68-7ac6a 585->618 662 79f9f 586->662 589->585 600 79cc1-79cdd call 431e5 592->600 601 79cb9-79cbc call 4315e 592->601 620 79d4b-79d53 593->620 621 79d2a-79d4a fputs call 421d8 593->621 610 79d05-79d0e 600->610 611 79cdf-79d00 call 43221 call 431e5 call 41089 600->611 601->600 610->592 610->593 611->610 618->617 624 79dff-79e1f call 41fa0 call 41e40 620->624 625 79d59-79d5d 620->625 621->620 624->541 624->542 631 79d5f-79d6d fputs 625->631 632 79d6e-79d82 625->632 631->632 638 79d84-79d88 632->638 639 79df0-79df9 632->639 645 79d95-79d9f 638->645 646 79d8a-79d94 638->646 639->624 639->625 651 79da5-79db1 645->651 652 79da1-79da3 645->652 646->645 659 79db3-79db6 651->659 660 79db8 651->660 652->651 658 79dd8-79dee 652->658 658->638 658->639 664 79dbb-79dce 659->664 660->664 662->579 670 79dd5 664->670 671 79dd0-79dd3 664->671 670->658 671->658
                                  APIs
                                    • Part of subcall function 0007B5B1: fputs.MSVCRT ref: 0007B5CA
                                    • Part of subcall function 0007B5B1: fputs.MSVCRT ref: 0007B5E1
                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 000799BD
                                  • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 000799C4
                                  • _CxxThrowException.MSVCRT(?,000F55B8), ref: 00079A77
                                  • _CxxThrowException.MSVCRT(?,000F55B8), ref: 00079ABB
                                    • Part of subcall function 00041FB3: __EH_prolog.LIBCMT ref: 00041FB8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                                  • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                                  • API String ID: 377453556-3661318601
                                  • Opcode ID: 6a2fc59d4c9cc233f50ac964c6ba669cec3ae908fd3c679ea59b315fd585314c
                                  • Instruction ID: db324759255b7a0c979bb2d3784f6caee8c84ee8a52cc50d17e2b2cba0bfe399
                                  • Opcode Fuzzy Hash: 6a2fc59d4c9cc233f50ac964c6ba669cec3ae908fd3c679ea59b315fd585314c
                                  • Instruction Fuzzy Hash: 70225071D00208DFDF25EF94D885BEDBBB1EF44310F20805AE559AB292CB399A85CF65
                                  Function 00051ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 672 51ade-51b14 call dfb10 call 413f5 677 51b16-51b2d call 61d73 _CxxThrowException 672->677 678 51b32-51b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->678 677->678 680 51b9d-51b9f 678->680 681 51b8d-51b91 678->681 684 51ba0-51bcd 680->684 681->680 683 51b93-51b97 681->683 683->680 685 51b99-51b9b 683->685 686 51bcf-51bf8 call 51ea4 call 427bb call 41e40 684->686 687 51bf9-51c12 684->687 685->684 686->687 688 51c14-51c18 687->688 689 51c20 687->689 688->689 691 51c1a-51c1e 688->691 692 51c27-51c2b 689->692 691->689 691->692 694 51c34-51c3e 692->694 695 51c2d 692->695 697 51c40-51c43 694->697 698 51c49-51c53 694->698 695->694 697->698 700 51c55-51c58 698->700 701 51c5e-51c68 698->701 700->701 703 51c73-51c79 701->703 704 51c6a-51c6d 701->704 706 51cc9-51cd2 703->706 707 51c7b-51c87 703->707 704->703 708 51cd4-51ce6 706->708 709 51cea call 51eb9 706->709 710 51c95-51ca1 call 51ed1 707->710 711 51c89-51c93 707->711 708->709 715 51cef-51cf8 709->715 716 51cc0-51cc3 710->716 717 51ca3-51cbb call 61d73 _CxxThrowException 710->717 711->706 718 51d37-51d40 715->718 719 51cfa-51d0a 715->719 716->706 717->716 721 51d46-51d52 718->721 722 51e93-51ea1 718->722 723 51d10 719->723 724 51dc2-51dd4 wcscmp 719->724 721->722 728 51d58-51d93 call 426dd call 4280c call 43221 call 43bbf 721->728 726 51d17-51d1f call 49399 723->726 724->726 727 51dda-51de6 call 51ed1 724->727 726->718 735 51d21-51d32 call c6a60 call 49313 726->735 727->726 736 51dec-51e04 call 61d73 _CxxThrowException 727->736 756 51d95-51d9c 728->756 757 51d9f-51da3 728->757 735->718 745 51e09-51e0c 736->745 748 51e31-51e4a call 51f0c GetCurrentProcess SetProcessAffinityMask 745->748 749 51e0e 745->749 761 51e83-51e92 call 43172 call 41e40 748->761 762 51e4c-51e82 GetLastError call 43221 call 458a9 call 431e5 call 41e40 748->762 752 51e14-51e2c call 61d73 _CxxThrowException 749->752 753 51e10-51e12 749->753 752->748 753->748 753->752 756->757 757->745 760 51da5-51dbd call 61d73 _CxxThrowException 757->760 760->724 761->722 762->761
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00051AE3
                                    • Part of subcall function 000413F5: __EH_prolog.LIBCMT ref: 000413FA
                                  • _CxxThrowException.MSVCRT(?,000F6010), ref: 00051B2D
                                  • _fileno.MSVCRT ref: 00051B3E
                                  • _isatty.MSVCRT ref: 00051B47
                                  • _fileno.MSVCRT ref: 00051B5D
                                  • _isatty.MSVCRT ref: 00051B60
                                  • _fileno.MSVCRT ref: 00051B73
                                  • _CxxThrowException.MSVCRT(?,000F6010), ref: 00051CBB
                                  • _CxxThrowException.MSVCRT(?,000F6010), ref: 00051DBD
                                  • wcscmp.MSVCRT ref: 00051DCA
                                  • _CxxThrowException.MSVCRT(?,000F6010), ref: 00051E04
                                  • _isatty.MSVCRT ref: 00051B76
                                    • Part of subcall function 00061D73: __EH_prolog.LIBCMT ref: 00061D78
                                  • _CxxThrowException.MSVCRT(?,000F6010), ref: 00051E2C
                                  • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00051E3B
                                  • SetProcessAffinityMask.KERNEL32(00000000), ref: 00051E42
                                  • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00051E4C
                                  Strings
                                  • Unsupported switch postfix -stm, xrefs: 00051DAA
                                  • SeLockMemoryPrivilege, xrefs: 00051D28
                                  • : ERROR : , xrefs: 00051E52
                                  • Set process affinity mask: , xrefs: 00051D74
                                  • Unsupported switch postfix for -slp, xrefs: 00051DF1
                                  • unsupported value -stm, xrefs: 00051E19
                                  • Unsupported switch postfix -bb, xrefs: 00051CA8
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                  • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                                  • API String ID: 1826148334-1115009270
                                  • Opcode ID: f3a259e1d0bafe6df52dbc2812cfb258c9274a0ce1fddaa347c28f8b123f1528
                                  • Instruction ID: e5c03dde3869a7f31191d79dcec874647ed3d9dc14888f06f971a29462ea530f
                                  • Opcode Fuzzy Hash: f3a259e1d0bafe6df52dbc2812cfb258c9274a0ce1fddaa347c28f8b123f1528
                                  • Instruction Fuzzy Hash: 6FC1D4719003859FEB11DFB4C889FDABBF1AF09315F048469E895A7293C775AD48CB20
                                  Function 00078012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 777 78012-78032 call dfb10 780 78285 777->780 781 78038-7806c fputs call 78341 777->781 782 78287-78295 780->782 785 7806e-78071 781->785 786 780c8-780cd 781->786 789 78073-78089 fputs call 41fa0 785->789 790 7808b-7808d 785->790 787 780d6-780df 786->787 788 780cf-780d4 786->788 791 780e2-78110 call 78341 call 78622 787->791 788->791 789->786 793 78096-7809f 790->793 794 7808f-78094 790->794 805 78112-78119 call 7831f 791->805 806 7811e-7812f call 78565 791->806 795 780a2-780c7 call 42e47 call 785c6 call 41e40 793->795 794->795 795->786 805->806 806->782 812 78135-7813f 806->812 813 78141-78148 call 782bb 812->813 814 7814d-7815b 812->814 813->814 814->782 817 78161-78164 814->817 818 781b6-781c0 817->818 819 78166-78186 817->819 820 78276-7827f 818->820 821 781c6-781e1 fputs 818->821 824 7818c-78196 call 78565 819->824 825 78298-7829d 819->825 820->780 820->781 821->820 826 781e7-781fb 821->826 829 7819b-7819d 824->829 827 782b1-782b9 SysFreeString 825->827 830 78273 826->830 831 781fd-7821f 826->831 827->782 829->825 832 781a3-781b4 SysFreeString 829->832 830->820 834 78221-78245 831->834 835 7829f-782a1 831->835 832->818 832->819 838 78247-78271 call 784a7 call 4965d SysFreeString 834->838 839 782a3-782ab call 4965d 834->839 836 782ae 835->836 836->827 838->830 838->831 839->836
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00078017
                                  • fputs.MSVCRT ref: 0007804D
                                    • Part of subcall function 00078341: __EH_prolog.LIBCMT ref: 00078346
                                    • Part of subcall function 00078341: fputs.MSVCRT ref: 0007835B
                                    • Part of subcall function 00078341: fputs.MSVCRT ref: 00078364
                                  • fputs.MSVCRT ref: 0007807A
                                    • Part of subcall function 00041FA0: fputc.MSVCRT ref: 00041FA7
                                    • Part of subcall function 0004965D: VariantClear.OLEAUT32(?), ref: 0004967F
                                  • SysFreeString.OLEAUT32(00000000), ref: 000781AA
                                  • fputs.MSVCRT ref: 000781CD
                                  • SysFreeString.OLEAUT32(00000000), ref: 00078267
                                  • SysFreeString.OLEAUT32(00000000), ref: 000782B1
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                                  • String ID: --$----$Path$Type$Warning: The archive is open with offset
                                  • API String ID: 2889736305-3797937567
                                  • Opcode ID: d9daf22090fa099e8109ca1d00274903482424b18b0fec11d8c1b36d6e2c5fce
                                  • Instruction ID: 1192ca5acd863ecdf735055f45e0276dcb8e06f62c1d7a2ee1cfc5cdad845dc2
                                  • Opcode Fuzzy Hash: d9daf22090fa099e8109ca1d00274903482424b18b0fec11d8c1b36d6e2c5fce
                                  • Instruction Fuzzy Hash: ED916B71A40605EFDB14DFA4C989AEEB7B5FF48310F108129E50AB7292DB74AD06CB64
                                  Function 00076766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 846 76766-76792 call dfb10 EnterCriticalSection 849 76794-76799 call 7c7d7 846->849 850 767af-767b7 846->850 857 7679e-767ac 849->857 852 767be-767c3 850->852 853 767b9 call 41f91 850->853 855 76892-768a8 852->855 856 767c9-767d5 852->856 853->852 860 76941 855->860 861 768ae-768b4 855->861 858 76817-7682f 856->858 859 767d7-767dd 856->859 857->850 864 76873-7687b 858->864 865 76831-76842 call 41fa0 858->865 859->858 862 767df-767eb 859->862 866 76943-7695a 860->866 861->860 863 768ba-768c2 861->863 869 767f3-76801 862->869 870 767ed 862->870 867 76933-7693f call 7c5cd 863->867 871 768c4-768e6 call 41fa0 fputs 863->871 864->867 868 76881-76887 864->868 865->864 883 76844-7686c fputs call 42201 865->883 867->866 868->867 873 7688d 868->873 869->864 875 76803-76815 fputs 869->875 870->869 886 768fb-76917 call 54f2a call 41fb3 call 41e40 871->886 887 768e8-768f9 fputs 871->887 879 7692e call 41f91 873->879 881 7686e call 41fa0 875->881 879->867 881->864 883->881 889 7691c-76928 call 41fa0 886->889 887->889 889->879
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0007676B
                                  • EnterCriticalSection.KERNEL32(00102938), ref: 00076781
                                  • fputs.MSVCRT ref: 0007680B
                                  • LeaveCriticalSection.KERNEL32(00102938), ref: 00076944
                                    • Part of subcall function 0007C7D7: fputs.MSVCRT ref: 0007C840
                                  • fputs.MSVCRT ref: 00076851
                                    • Part of subcall function 00042201: fputs.MSVCRT ref: 0004221E
                                  • fputs.MSVCRT ref: 000768D9
                                  • fputs.MSVCRT ref: 000768F6
                                    • Part of subcall function 00041FA0: fputc.MSVCRT ref: 00041FA7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                                  • String ID: v$Sub items Errors:
                                  • API String ID: 2670240366-2468115448
                                  • Opcode ID: e5f26f3c1830f40f50440046d99d96695f7dbecb1f9ac522ae9537e2e05b2e88
                                  • Instruction ID: e7534e5099a906509756863c6436c306cc07a6978b17a5e1f60c8b96078d80d8
                                  • Opcode Fuzzy Hash: e5f26f3c1830f40f50440046d99d96695f7dbecb1f9ac522ae9537e2e05b2e88
                                  • Instruction Fuzzy Hash: FA51C031904A40CFD7649F64D894AEAB7E1BF44310F14853EE59F9B251CB3A6C45CB58
                                  Function 00076359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 898 76359-76373 call dfb10 901 76375-76385 call 7c7d7 898->901 902 7639e-763af call 75a4d 898->902 901->902 907 76387-7639b 901->907 908 763b5-763cd 902->908 909 765ee-765f1 902->909 907->902 912 763d2-763d4 908->912 913 763cf 908->913 910 76624-7663c 909->910 911 765f3-765fb 909->911 916 76643-7664b 910->916 917 7663e call 41f91 910->917 914 76601-76607 call 78012 911->914 915 766ea call 7c5cd 911->915 918 763d6-763d9 912->918 919 763df-763e7 912->919 913->912 932 7660c-7660e 914->932 929 766ef-766fd 915->929 916->915 921 76651-7668f fputs call 4211a call 41fa0 call 78685 916->921 917->916 918->919 920 764b1-764bc call 76700 918->920 922 76411-76413 919->922 923 763e9-763f2 call 41fa0 919->923 947 764c7-764cf 920->947 948 764be-764c1 920->948 921->929 983 76691-76697 921->983 930 76415-7641d 922->930 931 76442-76446 922->931 923->922 943 763f4-7640c call 4210c call 41fa0 923->943 936 7641f-76425 call 76134 930->936 937 7642a-7643b 930->937 940 76497-7649f 931->940 941 76448-76450 931->941 932->929 938 76614-7661f call 41fa0 932->938 936->937 937->931 938->915 940->920 944 764a1-764ac call 41fa0 call 41f91 940->944 949 76452-7647a fputs call 41fa0 call 41fb3 call 41fa0 941->949 950 7647f-76490 941->950 943->922 944->920 951 764d1-764da call 41fa0 947->951 952 764f9-764fb 947->952 948->947 958 765a2-765a6 948->958 949->950 950->940 951->952 980 764dc-764f4 call 4210c call 41fa0 951->980 963 764fd-76505 952->963 964 7652a-7652e 952->964 966 765da-765e6 958->966 967 765a8-765b6 958->967 973 76507-7650d call 76134 963->973 974 76512-76523 963->974 976 76530-76538 964->976 977 7657f-76587 964->977 966->908 970 765ec 966->970 978 765d3 967->978 979 765b8-765ca call 76244 967->979 970->909 973->974 974->964 985 76567-76578 976->985 986 7653a-76562 fputs call 41fa0 call 41fb3 call 41fa0 976->986 977->958 982 76589-76595 call 41fa0 977->982 978->966 979->978 996 765cc-765ce call 41f91 979->996 980->952 982->958 1005 76597-7659d call 41f91 982->1005 991 766df-766e5 call 41f91 983->991 992 76699-7669f 983->992 985->977 986->985 991->915 1000 766b3-766ce call 54f2a call 41fb3 call 41e40 992->1000 1001 766a1-766b1 fputs 992->1001 996->978 1006 766d3-766da call 41fa0 1000->1006 1001->1006 1005->958 1006->991
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0007635E
                                  • fputs.MSVCRT ref: 0007645F
                                    • Part of subcall function 0007C7D7: fputs.MSVCRT ref: 0007C840
                                  • fputs.MSVCRT ref: 00076547
                                  • fputs.MSVCRT ref: 0007665F
                                  • fputs.MSVCRT ref: 000766AE
                                    • Part of subcall function 00041F91: fflush.MSVCRT ref: 00041F93
                                    • Part of subcall function 00041FB3: __EH_prolog.LIBCMT ref: 00041FB8
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$H_prolog$fflushfree
                                  • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                                  • API String ID: 1750297421-1898165966
                                  • Opcode ID: 445300d3facf8554bb69338930b7d9d0d7846799a9d265b40f210954e96669c8
                                  • Instruction ID: 4535a950ecd9fe71c221661411cb2cb0758023f918a606ab8511897172cdd33e
                                  • Opcode Fuzzy Hash: 445300d3facf8554bb69338930b7d9d0d7846799a9d265b40f210954e96669c8
                                  • Instruction Fuzzy Hash: C9B16F70A01B018FDB64EF60C9A1BEAB7E1BF44304F04853DE95F57252CB79A989CB58
                                  Function 00049C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1016 49c8f-49cc2 GetModuleHandleA GetProcAddress 1017 49cc4-49ccc GlobalMemoryStatusEx 1016->1017 1018 49cef-49d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 49cce-49cd7 1017->1019 1020 49d08 1018->1020 1021 49d0b-49d0d 1018->1021 1022 49ce5 1019->1022 1023 49cd9 1019->1023 1020->1021 1024 49d11-49d15 1021->1024 1027 49ce8-49ced 1022->1027 1025 49ce0-49ce3 1023->1025 1026 49cdb-49cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                                  APIs
                                  • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00049CB3
                                  • GetProcAddress.KERNEL32(00000000), ref: 00049CBA
                                  • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00049CC8
                                  • GlobalMemoryStatus.KERNEL32(?), ref: 00049CFA
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                                  • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                  • API String ID: 180289352-802862622
                                  • Opcode ID: e458ae8269a24b6470afa267dcef6819fca1201bad27133813046eebd0f055d2
                                  • Instruction ID: 9ab837afc2d2c11e2584510d535c0751333acaf1360a95a5714c1a599da8f327
                                  • Opcode Fuzzy Hash: e458ae8269a24b6470afa267dcef6819fca1201bad27133813046eebd0f055d2
                                  • Instruction Fuzzy Hash: EC1117B19003499FEF24DFA4D889BAEBBF5BF04705F104428E546AB240D778A984CB58
                                  Function 000DFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                                  • String ID:
                                  • API String ID: 4012487245-0
                                  • Opcode ID: 714480387be2dbe2026202a264f738d3d645bee468e90f3c2f604442bc7e630b
                                  • Instruction ID: 683841f3d0bd0b17d71b79901b48a80bbcbdf5056d05c854e67e3b23198b68d3
                                  • Opcode Fuzzy Hash: 714480387be2dbe2026202a264f738d3d645bee468e90f3c2f604442bc7e630b
                                  • Instruction Fuzzy Hash: 5E213E71900748EFEB149FA4DC99E9D7B79FB09720F004259F551AA6E2C7B95481CF20
                                  Function 000DFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                                  • String ID:
                                  • API String ID: 279829931-0
                                  • Opcode ID: 3825b898c3d95f14585678fcfa3eb1f5b7051cecf3cd38bd147995dd9e3fde45
                                  • Instruction ID: b5459dd2644cd4c3dc19ceaa447796cb5835e715b5d117b42b0fcd11b1838bff
                                  • Opcode Fuzzy Hash: 3825b898c3d95f14585678fcfa3eb1f5b7051cecf3cd38bd147995dd9e3fde45
                                  • Instruction Fuzzy Hash: EF010071940348AFEB04ABE0DC95CEE7779FB4D710B104059F541B62A2DBB69451CF20
                                  Function 00061858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0006185D
                                    • Part of subcall function 0006021A: __EH_prolog.LIBCMT ref: 0006021F
                                    • Part of subcall function 0006062E: __EH_prolog.LIBCMT ref: 00060633
                                  • _CxxThrowException.MSVCRT(?,000F6010), ref: 00061961
                                    • Part of subcall function 00061AA5: __EH_prolog.LIBCMT ref: 00061AAA
                                  Strings
                                  • Duplicate archive path:, xrefs: 00061A8D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrow
                                  • String ID: Duplicate archive path:
                                  • API String ID: 2366012087-4000988232
                                  • Opcode ID: ef7cc14b8f79cc3a675a289806ad3d98983bc647edc4093c41b37a1f9850031a
                                  • Instruction ID: 4dce6d27d4150541f143e189c80922b113783c125c2890af93c687838e8b1058
                                  • Opcode Fuzzy Hash: ef7cc14b8f79cc3a675a289806ad3d98983bc647edc4093c41b37a1f9850031a
                                  • Instruction Fuzzy Hash: 92819D31D00249DFCF25EFA4D891ADEBBB2AF08310F1440AAE51677293DB30AE05CB65
                                  Function 0008F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1518 8f1b2-8f1ce call dfb10 call 51168 1522 8f1d3-8f1d5 1518->1522 1523 8f36a-8f378 1522->1523 1524 8f1db-8f1e4 call 8f3e4 1522->1524 1527 8f1ed-8f1f2 1524->1527 1528 8f1e6-8f1e8 1524->1528 1529 8f203-8f21a 1527->1529 1530 8f1f4-8f1f9 1527->1530 1528->1523 1533 8f21c-8f22c _CxxThrowException 1529->1533 1534 8f231-8f248 memcpy 1529->1534 1530->1529 1531 8f1fb-8f1fe 1530->1531 1531->1523 1533->1534 1535 8f24c-8f257 1534->1535 1536 8f259 1535->1536 1537 8f25c-8f25e 1535->1537 1536->1537 1538 8f260-8f26f 1537->1538 1539 8f281-8f299 1537->1539 1540 8f279-8f27b 1538->1540 1541 8f271 1538->1541 1547 8f29b-8f2a0 1539->1547 1548 8f311-8f313 1539->1548 1540->1539 1544 8f315-8f318 1540->1544 1542 8f273-8f275 1541->1542 1543 8f277 1541->1543 1542->1540 1542->1543 1543->1540 1546 8f357-8f368 1544->1546 1546->1523 1547->1544 1549 8f2a2-8f2b5 call 8f37b 1547->1549 1548->1546 1553 8f2f0-8f30c memmove 1549->1553 1554 8f2b7-8f2cf call de1a0 1549->1554 1553->1535 1557 8f31a-8f355 memcpy 1554->1557 1558 8f2d1-8f2eb call 8f37b 1554->1558 1557->1546 1558->1554 1562 8f2ed 1558->1562 1562->1553
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 9cb712d9eb9872154f121d0c622a122317fa0175e773afb04d9609fdb03b49ed
                                  • Instruction ID: 851d4164cf34a54bb09afe84f1025c6842991b66632224f445f2bb3366fac568
                                  • Opcode Fuzzy Hash: 9cb712d9eb9872154f121d0c622a122317fa0175e773afb04d9609fdb03b49ed
                                  • Instruction Fuzzy Hash: A3515176A003069FDB14EFA4C8C5BFEB3B5FF98354F148429E941AB241D774AA458B60
                                  Function 00046C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1563 46c72-46c8e call dfb10 1566 46c96-46c9e 1563->1566 1567 46c90-46c94 1563->1567 1569 46ca6-46cae 1566->1569 1570 46ca0-46ca4 1566->1570 1567->1566 1568 46cd3-46cdc call 48664 1567->1568 1575 46d87-46d92 call 488c6 1568->1575 1576 46ce2-46d02 call 467f0 call 42f88 call 487df 1568->1576 1569->1568 1572 46cb0-46cb5 1569->1572 1570->1568 1570->1569 1572->1568 1574 46cb7-46cce call 467f0 call 42f88 1572->1574 1588 4715d-4715f 1574->1588 1585 46f4c-46f62 call 487fa 1575->1585 1586 46d98-46d9e 1575->1586 1602 46d04-46d09 1576->1602 1603 46d4a-46d61 call 47b41 1576->1603 1596 46f64-46f66 1585->1596 1597 46f67-46f74 call 485e2 1585->1597 1586->1585 1591 46da4-46dc7 call 42e47 * 2 1586->1591 1594 47118-47126 1588->1594 1609 46dd4-46dda 1591->1609 1610 46dc9-46dcf 1591->1610 1596->1597 1611 46f76-46f7c 1597->1611 1612 46fd1-46fd8 1597->1612 1602->1603 1607 46d0b-46d38 call 49252 1602->1607 1614 46d67-46d6b 1603->1614 1615 46d63-46d65 1603->1615 1607->1603 1631 46d3a-46d45 1607->1631 1616 46df1-46df9 call 43221 1609->1616 1617 46ddc-46def call 42407 1609->1617 1610->1609 1611->1612 1620 46f7e-46f8a call 46bf5 1611->1620 1618 46fe4-46feb 1612->1618 1619 46fda-46fde 1612->1619 1623 46d6d-46d75 1614->1623 1624 46d78 1614->1624 1622 46d7a-46d82 call 4764c 1615->1622 1636 46dfe-46e0b call 487df 1616->1636 1617->1616 1617->1636 1628 4701d-47024 call 48782 1618->1628 1629 46fed-46ff7 call 46bf5 1618->1629 1619->1618 1627 470e5-470ea call 46868 1619->1627 1620->1627 1644 46f90-46f93 1620->1644 1648 47116 1622->1648 1623->1624 1624->1622 1640 470ef-470f3 1627->1640 1628->1627 1645 4702a-47035 1628->1645 1629->1627 1650 46ffd-47000 1629->1650 1631->1588 1655 46e43-46e50 call 46c72 1636->1655 1656 46e0d-46e10 1636->1656 1646 470f5-470f7 1640->1646 1647 4710c 1640->1647 1644->1627 1651 46f99-46fb6 call 467f0 call 42f88 1644->1651 1645->1627 1652 4703b-47044 call 48578 1645->1652 1646->1647 1653 470f9-47102 1646->1653 1654 4710e-47111 call 46848 1647->1654 1648->1594 1650->1627 1657 47006-4701b call 467f0 1650->1657 1682 46fc2-46fc5 call 4717b 1651->1682 1683 46fb8-46fbd 1651->1683 1652->1627 1677 4704a-47054 call 4717b 1652->1677 1653->1647 1660 47104-47107 call 4717b 1653->1660 1654->1648 1678 46e56 1655->1678 1679 46f3a-46f4b call 41e40 * 2 1655->1679 1663 46e12-46e15 1656->1663 1664 46e1e-46e36 call 467f0 1656->1664 1674 46fca-46fcc 1657->1674 1660->1647 1663->1655 1672 46e17-46e1c 1663->1672 1680 46e58-46e7e call 42f1c call 42e04 1664->1680 1681 46e38-46e41 call 42fec 1664->1681 1672->1655 1672->1664 1674->1654 1692 47064-47097 call 42e47 call 41089 * 2 call 46868 1677->1692 1693 47056-4705f call 42f88 1677->1693 1678->1680 1679->1585 1701 46e83-46e99 call 46bb5 1680->1701 1681->1680 1682->1674 1683->1682 1725 470bf-470cc call 46bf5 1692->1725 1726 47099-470af wcscmp 1692->1726 1704 47155-47158 call 46848 1693->1704 1709 46ecf-46ed1 1701->1709 1710 46e9b-46e9f 1701->1710 1704->1588 1715 46f09-46f35 call 41e40 * 2 call 46848 call 41e40 * 2 1709->1715 1712 46ec7-46ec9 SetLastError 1710->1712 1713 46ea1-46eae call 422bf 1710->1713 1712->1709 1722 46eb0-46ec5 call 41e40 call 42e04 1713->1722 1723 46ed3-46ed9 1713->1723 1715->1648 1722->1701 1732 46eec-46f07 call 431e5 1723->1732 1733 46edb-46ee0 1723->1733 1744 470ce-470d1 1725->1744 1745 47129-47133 call 467f0 1725->1745 1729 470b1-470b6 1726->1729 1730 470bb 1726->1730 1736 47147-47154 call 42f88 call 41e40 1729->1736 1730->1725 1732->1715 1733->1732 1738 46ee2-46ee8 1733->1738 1736->1704 1738->1732 1749 470d3-470d6 1744->1749 1750 470d8-470e4 call 41e40 1744->1750 1757 47135-47138 1745->1757 1758 4713a 1745->1758 1749->1745 1749->1750 1750->1627 1761 47141-47144 1757->1761 1758->1761 1761->1736
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00046C77
                                  • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00046EC9
                                    • Part of subcall function 00046C72: wcscmp.MSVCRT ref: 000470A5
                                    • Part of subcall function 00046BF5: __EH_prolog.LIBCMT ref: 00046BFA
                                    • Part of subcall function 00046BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00046C1A
                                    • Part of subcall function 00046BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00046C49
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                                  • String ID: :$DATA
                                  • API String ID: 3316598575-2587938151
                                  • Opcode ID: 846409ac32fe59233939a2906b798c4dd37fd8801dd9c9fcb92b3b5355469a1b
                                  • Instruction ID: 07b4e5594a5917dd7916a3f90fc9b79a4d049f653299efa3a2a15144363abcca
                                  • Opcode Fuzzy Hash: 846409ac32fe59233939a2906b798c4dd37fd8801dd9c9fcb92b3b5355469a1b
                                  • Instruction Fuzzy Hash: 7BE127F0900209DACF25EFA4C891BEDB7F1EF16314F104539E846672A3EB729949C75A
                                  Function 00056FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00056FCA
                                    • Part of subcall function 00056E71: __EH_prolog.LIBCMT ref: 00056E76
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                  • API String ID: 3519838083-394804653
                                  • Opcode ID: cf87357abbf0a3910becd1cf30d2f0935e9e621e36a67fe3244ed9763c582518
                                  • Instruction ID: 93d24648ba0c9f608944c7e805ad5cf2bd47999d213340308151c3a9c8876675
                                  • Opcode Fuzzy Hash: cf87357abbf0a3910becd1cf30d2f0935e9e621e36a67fe3244ed9763c582518
                                  • Instruction Fuzzy Hash: 80410272908684DBCF20DFA89440AEFFBF5AF05301F58446EE88AA3242C6306E48D765
                                  Function 000784A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$H_prolog
                                  • String ID: =
                                  • API String ID: 2614055831-2525689732
                                  • Opcode ID: edbf438deaa002a6224f82eb008ab13fac150e0670b2ee58e632ae03caaab6a2
                                  • Instruction ID: 35f037c1511e2f9d6ea6f6b86558053304adfb61b6dc6e9dd5597c887c4dab09
                                  • Opcode Fuzzy Hash: edbf438deaa002a6224f82eb008ab13fac150e0670b2ee58e632ae03caaab6a2
                                  • Instruction Fuzzy Hash: BB218E72904158AFCF05EB94D956BEDBBB5EF44310F20802AF40572193DF752E45CB98
                                  Function 00078341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00078346
                                  • fputs.MSVCRT ref: 0007835B
                                  • fputs.MSVCRT ref: 00078364
                                    • Part of subcall function 000783BF: __EH_prolog.LIBCMT ref: 000783C4
                                    • Part of subcall function 000783BF: fputs.MSVCRT ref: 00078401
                                    • Part of subcall function 000783BF: fputs.MSVCRT ref: 00078437
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$H_prolog
                                  • String ID: =
                                  • API String ID: 2614055831-2525689732
                                  • Opcode ID: 55437740e039b55171965e63fbf0b3b4d91ecedccaf062097bb499018cf0be56
                                  • Instruction ID: d3474d932fd6e9a1a507ac6da66a6a597751ef6b49a54976161dc1e4b08cc055
                                  • Opcode Fuzzy Hash: 55437740e039b55171965e63fbf0b3b4d91ecedccaf062097bb499018cf0be56
                                  • Instruction Fuzzy Hash: 0701DB71A00144ABCB15BB69C856AED7F75EF84750F00C02AF44562153CF794A86DBD5
                                  Function 000D7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0005AB57), ref: 000D7DAA
                                  • GetLastError.KERNEL32(?,00000000,0005AB57), ref: 000D7DBB
                                  • CloseHandle.KERNELBASE(00000000,?,00000000,0005AB57), ref: 000D7DCF
                                  • GetLastError.KERNEL32(?,00000000,0005AB57), ref: 000D7DD9
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ErrorLast$CloseHandleObjectSingleWait
                                  • String ID:
                                  • API String ID: 1796208289-0
                                  • Opcode ID: 082039cc34bd61a29cf74510c06e19a3b253f51a378e9957838d560cbf70ed13
                                  • Instruction ID: 4972a5c8e9793f27487c38e84ebb0f0f2e89a98afba3aa9943728ba72f52f1f5
                                  • Opcode Fuzzy Hash: 082039cc34bd61a29cf74510c06e19a3b253f51a378e9957838d560cbf70ed13
                                  • Instruction Fuzzy Hash: 63F0DA713083424BEB615ABD9C84F2676EAAF55774B20072BF969DA3D0FA65CC418630
                                  Function 00062096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0006209B
                                    • Part of subcall function 0004757D: GetLastError.KERNEL32(0004F1DC,?,?,?,?,?,?,00000000,?,00000000), ref: 0004757D
                                    • Part of subcall function 00062C6C: __EH_prolog.LIBCMT ref: 00062C71
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ErrorLastfree
                                  • String ID: Cannot find archive file$The item is a directory
                                  • API String ID: 683690243-1569138187
                                  • Opcode ID: 90e1b27efb63250bd01681c8f2b1ab8f1f246bb982538ea6753d77c788954b75
                                  • Instruction ID: b39bc2f82ec13bef5046f3c7449e43a4311eb763b5280379bec4600139a9b4b1
                                  • Opcode Fuzzy Hash: 90e1b27efb63250bd01681c8f2b1ab8f1f246bb982538ea6753d77c788954b75
                                  • Instruction Fuzzy Hash: C5723674D00658DFCB65DFA8C884BDDBBF2AF59304F14809AE859AB252CB709E81CF51
                                  Function 0007C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CountTickfputs
                                  • String ID: .
                                  • API String ID: 290905099-4150638102
                                  • Opcode ID: c6335a83c9ff7607c5c2d70b5ff7b9790a7449acc598234ad41d569681f8e929
                                  • Instruction ID: 79742b8277cf22798f129e1f949e25ea877d794e04e2138bdaa6ff27ee0280af
                                  • Opcode Fuzzy Hash: c6335a83c9ff7607c5c2d70b5ff7b9790a7449acc598234ad41d569681f8e929
                                  • Instruction Fuzzy Hash: 23715970A00B049FEB61EB64C591EAEB7F5AF81304F40882DF58B97642DB78F945CB19
                                  Function 000808B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00049C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00049CB3
                                    • Part of subcall function 00049C8F: GetProcAddress.KERNEL32(00000000), ref: 00049CBA
                                    • Part of subcall function 00049C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00049CC8
                                  • __aulldiv.LIBCMT ref: 0008093F
                                  • __aulldiv.LIBCMT ref: 0008094B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                                  • String ID: 3333
                                  • API String ID: 3520896023-2924271548
                                  • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                  • Instruction ID: 437a5b5e4b370dcfe5ec152e11fcb0378659944a0a8bdd1f6e73ebf5f1603e0a
                                  • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                                  • Instruction Fuzzy Hash: 9A2197B19007046FE770EF6A8881A6FBAF9FB84750F04892FF1C6D3742D670A9448B65
                                  Function 0006A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  • memset.MSVCRT ref: 0006AEBA
                                  • memset.MSVCRT ref: 0006AECD
                                    • Part of subcall function 000804D2: _CxxThrowException.MSVCRT(?,000F4A58), ref: 000804F8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: memset$ExceptionThrowfree
                                  • String ID: Split
                                  • API String ID: 1404239998-1882502421
                                  • Opcode ID: 6fffd38a62789cb118ed39cd64e38cc4679d69a88f06825e2d1500b5b51bd075
                                  • Instruction ID: 2905a492455c7a77cbc1e07912465400175172e2ea2d243d4bc74cf68bb05d66
                                  • Opcode Fuzzy Hash: 6fffd38a62789cb118ed39cd64e38cc4679d69a88f06825e2d1500b5b51bd075
                                  • Instruction Fuzzy Hash: DD423B70A00249DFDB25EBA4C984BEDB7F6BF06314F1440A9E445B7252CB75AE85CF22
                                  Function 0004759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0004759F
                                    • Part of subcall function 0004764C: CloseHandle.KERNELBASE(00000000,?,000475AF,00000002,?,00000000,00000000), ref: 00047657
                                  • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 000475E5
                                  • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00047626
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CreateFile$CloseH_prologHandle
                                  • String ID:
                                  • API String ID: 449569272-0
                                  • Opcode ID: 8bde9919dd27a4cb100e23dfddd1931552ec37fcfbef94f45dd52f03f5530742
                                  • Instruction ID: 6093de7f30437b4a288ac9640b388b4cd5f8b1be6996f0f12632eaf73eac0831
                                  • Opcode Fuzzy Hash: 8bde9919dd27a4cb100e23dfddd1931552ec37fcfbef94f45dd52f03f5530742
                                  • Instruction Fuzzy Hash: 761196B280020AEFCF11AFA4DC418EEBBBAFF14354B108939F961561A2C7759D61DB54
                                  Function 000783BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • fputs.MSVCRT ref: 00078437
                                  • fputs.MSVCRT ref: 00078401
                                    • Part of subcall function 00041FB3: __EH_prolog.LIBCMT ref: 00041FB8
                                  • __EH_prolog.LIBCMT ref: 000783C4
                                    • Part of subcall function 00041FA0: fputc.MSVCRT ref: 00041FA7
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prologfputs$fputc
                                  • String ID:
                                  • API String ID: 678540050-0
                                  • Opcode ID: 36caceeb8cce35fd99f73d1ca8b150046fa31a2f8c2e10ae01203e73b45d7a19
                                  • Instruction ID: 97cf278ab4211b2e7b5a0135ae99bd88fc571d30bd887806733374e554b72259
                                  • Opcode Fuzzy Hash: 36caceeb8cce35fd99f73d1ca8b150046fa31a2f8c2e10ae01203e73b45d7a19
                                  • Instruction Fuzzy Hash: C0118671F041055BCB09B7A1D8179EEBB65DF80790F40403AF506A2293DF69595687DC
                                  Function 00047731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,000477DB,?,?,00000000,?,00047832,?), ref: 00047773
                                  • GetLastError.KERNEL32(?,000477DB,?,?,00000000,?,00047832,?,?,?,?,00000000), ref: 00047780
                                  • SetLastError.KERNEL32(00000000,?,?,000477DB,?,?,00000000,?,00047832,?,?,?,?,00000000), ref: 00047797
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ErrorLast$FilePointer
                                  • String ID:
                                  • API String ID: 1156039329-0
                                  • Opcode ID: cf0679595728bde958bdcc2f501b286735b7bfd123bc47b61ed81fdcbcf02e4f
                                  • Instruction ID: 660589165741b03ce77ff5a34c1f5db5cb3470946db32ef9876d640063935ab4
                                  • Opcode Fuzzy Hash: cf0679595728bde958bdcc2f501b286735b7bfd123bc47b61ed81fdcbcf02e4f
                                  • Instruction Fuzzy Hash: 9C11EFB0208305AFEF218F68DC85BEE3BE5AF04360F108439F81A97292D7B59D009B64
                                  Function 00045A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00045A91
                                  • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00045AB7
                                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00045AEC
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AttributesFile$H_prolog
                                  • String ID:
                                  • API String ID: 3790360811-0
                                  • Opcode ID: e8740f72864b76f9e689f4b20a3383bcf41bb2d1c41ae5d6b2c1b8ed63bc44aa
                                  • Instruction ID: 307caadba26cbd665c4c194c0a589f44865b80c5800e71a14bc65f378f454505
                                  • Opcode Fuzzy Hash: e8740f72864b76f9e689f4b20a3383bcf41bb2d1c41ae5d6b2c1b8ed63bc44aa
                                  • Instruction Fuzzy Hash: 2101F5B2E00215ABCF15ABA19C81AFFB775EF40751F148436ED1163293CB754C11D694
                                  Function 00075883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • EnterCriticalSection.KERNEL32(00102938), ref: 0007588B
                                  • LeaveCriticalSection.KERNEL32(00102938), ref: 000758BC
                                    • Part of subcall function 0007C911: GetTickCount.KERNEL32 ref: 0007C926
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CriticalSection$CountEnterLeaveTick
                                  • String ID: v
                                  • API String ID: 1056156058-3261393531
                                  • Opcode ID: 6adca72d97c53469374e9ac42ef14ae69fbe2866bcc399c1b6ca5f0221ba7d34
                                  • Instruction ID: 51809ffedde3f088836c1f9521eeb4d74c7deff3b6095299c3936131720b0130
                                  • Opcode Fuzzy Hash: 6adca72d97c53469374e9ac42ef14ae69fbe2866bcc399c1b6ca5f0221ba7d34
                                  • Instruction Fuzzy Hash: B3E06575A05320DFE304DF18D948E8A37E5AF98311F05846EF409AB362CB388849CAA6
                                  Function 00055BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00055BEF
                                    • Part of subcall function 000554C0: __EH_prolog.LIBCMT ref: 000554C5
                                    • Part of subcall function 00055630: __EH_prolog.LIBCMT ref: 00055635
                                    • Part of subcall function 000636EA: __EH_prolog.LIBCMT ref: 000636EF
                                    • Part of subcall function 000557C1: __EH_prolog.LIBCMT ref: 000557C6
                                    • Part of subcall function 000558BE: __EH_prolog.LIBCMT ref: 000558C3
                                  Strings
                                  • Cannot seek to begin of file, xrefs: 0005610F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: Cannot seek to begin of file
                                  • API String ID: 3519838083-2298593816
                                  • Opcode ID: 99dd95a69d1889b099782a563516c77396f9b0e58a2ca6d1d82b9afc0bbe19d9
                                  • Instruction ID: 2a6db0a68d7cd3d2df393c0c42593acc769b7cc5e7388d2a0a3d1bea459ca8df
                                  • Opcode Fuzzy Hash: 99dd95a69d1889b099782a563516c77396f9b0e58a2ca6d1d82b9afc0bbe19d9
                                  • Instruction Fuzzy Hash: DF1210719046459FDF25DFA4C894BEFBBF5AF04316F08002DE84667293DB71AA88CB61
                                  Function 00084E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00084E8F
                                    • Part of subcall function 0004965D: VariantClear.OLEAUT32(?), ref: 0004967F
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ClearH_prologVariantfree
                                  • String ID: file
                                  • API String ID: 904627215-2359244304
                                  • Opcode ID: f77eb16735ab07787108e21c03b2bac262bf62a8f70b93d5af9ccfc976485c58
                                  • Instruction ID: 7c07232482727fcc097c2267cb1ac14d013ad4b5f4c8c939dfad32fc173dea17
                                  • Opcode Fuzzy Hash: f77eb16735ab07787108e21c03b2bac262bf62a8f70b93d5af9ccfc976485c58
                                  • Instruction Fuzzy Hash: 14127C74A00209DFCF11EFA5C985AEEBBB6BF44345F204078E445AB2A3DB71AE45CB54
                                  Function 00062CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00062CE0
                                    • Part of subcall function 00045E10: __EH_prolog.LIBCMT ref: 00045E15
                                    • Part of subcall function 000541EC: _CxxThrowException.MSVCRT(?,000F4A58), ref: 0005421A
                                    • Part of subcall function 0004965D: VariantClear.OLEAUT32(?), ref: 0004967F
                                  Strings
                                  • Cannot create output directory, xrefs: 00063070
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ClearExceptionThrowVariant
                                  • String ID: Cannot create output directory
                                  • API String ID: 814188403-1181934277
                                  • Opcode ID: c67f25b8131397b5f34ee957d65e0a7fa1a415d93ab50be4c22ea1492fc22a0e
                                  • Instruction ID: 37acdb98a80d3d36d5d89976fea1b77e66cd4a52fc25db3851793468e018f272
                                  • Opcode Fuzzy Hash: c67f25b8131397b5f34ee957d65e0a7fa1a415d93ab50be4c22ea1492fc22a0e
                                  • Instruction Fuzzy Hash: 07F1BF70901289EFDF25EFA4C890AEEBBF6BF19300F1444B9E44567252DB31AE49CB51
                                  Function 0007C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • fputs.MSVCRT ref: 0007C840
                                    • Part of subcall function 000425CB: _CxxThrowException.MSVCRT(?,000F4A58), ref: 000425ED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionThrowfputs
                                  • String ID:
                                  • API String ID: 1334390793-399585960
                                  • Opcode ID: 4bd21a1784eb90450c1144035f6fcf3ae8c3eddecce5e8c3b990d003c7df7de4
                                  • Instruction ID: b99b6faa3cd6a89a7ff8acd23096d99e25f08fe66ae04e84105fc7939c00efd4
                                  • Opcode Fuzzy Hash: 4bd21a1784eb90450c1144035f6fcf3ae8c3eddecce5e8c3b990d003c7df7de4
                                  • Instruction Fuzzy Hash: 4811E271A047409FEB15CF58C8C1BAABBE6EF45304F04846EE14A8B241CBB5B804C760
                                  Function 00076086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID: Open
                                  • API String ID: 1795875747-71445658
                                  • Opcode ID: 43bdb48b5f9d197a91b919ad6effc10052e3939f3e0cb5be68d0cfcee397654d
                                  • Instruction ID: 6a08830db5c2887c53bb3d8e8d4ce9cc1affb1f1edfcb162884de55dc8e8b1fc
                                  • Opcode Fuzzy Hash: 43bdb48b5f9d197a91b919ad6effc10052e3939f3e0cb5be68d0cfcee397654d
                                  • Instruction Fuzzy Hash: 8911CE72500B449FD764EF34D891ADABBE1EF14310B40883EE59A87212DB3AA844CF58
                                  Function 000558BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 000558C3
                                    • Part of subcall function 00046C72: __EH_prolog.LIBCMT ref: 00046C77
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID:
                                  • API String ID: 2654054672-0
                                  • Opcode ID: 6e316c1cbbd6042bb0c69bdfe462925dfffcd933fc9c7b5277a7895ab6942f31
                                  • Instruction ID: 67a191c99199abbc8dd3d8943a688fd2c99a0dd58620bf4bc6a3a43349f3b453
                                  • Opcode Fuzzy Hash: 6e316c1cbbd6042bb0c69bdfe462925dfffcd933fc9c7b5277a7895ab6942f31
                                  • Instruction Fuzzy Hash: B89101B19005059FDF25EBA4CCA5AEFBBB2EF44312F104069ED02A7253DB315D48CB65
                                  Function 000906AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 000906B3
                                  • _CxxThrowException.MSVCRT(?,000FD480), ref: 000908F2
                                    • Part of subcall function 00041E0C: malloc.MSVCRT ref: 00041E1F
                                    • Part of subcall function 00041E0C: _CxxThrowException.MSVCRT(?,000F4B28), ref: 00041E39
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionThrow$H_prologmalloc
                                  • String ID:
                                  • API String ID: 3044594480-0
                                  • Opcode ID: ff1fbc0c2e2d1210ab02fc56253d7a58c0e82b93a81a34c2b790d7bd531e0875
                                  • Instruction ID: 3f0a64f3845e6a5803d16f5d5d2c02cf535e100366ce5e338e084a7be0b4f438
                                  • Opcode Fuzzy Hash: ff1fbc0c2e2d1210ab02fc56253d7a58c0e82b93a81a34c2b790d7bd531e0875
                                  • Instruction Fuzzy Hash: E9916F75D00249DFCF21DFA9C881AEEBBB5BF09304F1480A9E495A7252CB30AE45DF61
                                  Function 00057190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 7030f74d4f9347c585fbbc45bb10f3d1298f5d65f82ed7a88261cd3e135032ce
                                  • Instruction ID: ab5c8200c0321430e8bca9745435c5251362c013d7359560be44ee5207d958e8
                                  • Opcode Fuzzy Hash: 7030f74d4f9347c585fbbc45bb10f3d1298f5d65f82ed7a88261cd3e135032ce
                                  • Instruction Fuzzy Hash: 9F51A170508B809FDB65CF64D494AEBBBF2BF45305F18885DE8DA4B202C731B988EB50
                                  Function 00067B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00067B4D
                                  • memcpy.MSVCRT(00000000,001027DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00067C65
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prologmemcpy
                                  • String ID:
                                  • API String ID: 2991061955-0
                                  • Opcode ID: b2c6dc31f02e25bbb4eb26035922af7ef069be17e86705f5687f3fd189a2b19b
                                  • Instruction ID: 65a493d8a3c6a47e138a506c31ee8f2e232cda12e97f4922e5ad35e85140c559
                                  • Opcode Fuzzy Hash: b2c6dc31f02e25bbb4eb26035922af7ef069be17e86705f5687f3fd189a2b19b
                                  • Instruction Fuzzy Hash: 5C419E71904219DFCF20EFA4C951AEEB7F5BF04314F20452EE44AA7292DB71AE09CB50
                                  Function 00091511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00091516
                                    • Part of subcall function 000910D3: __EH_prolog.LIBCMT ref: 000910D8
                                  • _CxxThrowException.MSVCRT(?,000FD480), ref: 00091561
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrow
                                  • String ID:
                                  • API String ID: 2366012087-0
                                  • Opcode ID: 6d7cacc16fc503569442a3e7f87de9ee7ef14e020ad280c0c29d914c05204e71
                                  • Instruction ID: c4121d0af6d68924258d7079e97ac16d2829c6a76ca5386bc1f51151af48a1a5
                                  • Opcode Fuzzy Hash: 6d7cacc16fc503569442a3e7f87de9ee7ef14e020ad280c0c29d914c05204e71
                                  • Instruction Fuzzy Hash: F401F23260028AEFDF118F94C815BEE7FB8EF81360F04405AF5455B252C3B6A951A7A0
                                  Function 000757FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00075800
                                  • fputs.MSVCRT ref: 00075830
                                    • Part of subcall function 00041FA0: fputc.MSVCRT ref: 00041FA7
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prologfputcfputsfree
                                  • String ID:
                                  • API String ID: 195749403-0
                                  • Opcode ID: bcc1ce675bff8045ccd0a570cc58401d5e48d059f2c0b9c193b5f0eb0c3da861
                                  • Instruction ID: 4ba7f66050e9a07eaee63aee3c32d9d36b3e4c1e6349b3f43e76453908f2f43a
                                  • Opcode Fuzzy Hash: bcc1ce675bff8045ccd0a570cc58401d5e48d059f2c0b9c193b5f0eb0c3da861
                                  • Instruction Fuzzy Hash: BFF05E32900504DFDB15AB94E8127EEBBB1EF04750F40843AE906A7192CB785995CB88
                                  Function 0004950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SysAllocStringLen.OLEAUT32(?,?), ref: 0004952C
                                  • _CxxThrowException.MSVCRT(00000000,000F55B8), ref: 0004954A
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AllocExceptionStringThrow
                                  • String ID:
                                  • API String ID: 3773818493-0
                                  • Opcode ID: 417d491aa8eadc4463ef93ef59f4ac9e9cfc72133d64f925486ca8625bfa4588
                                  • Instruction ID: 64c4e76bdcf9582a2593c3325ab4101906b162b5087322acb842574aab874b34
                                  • Opcode Fuzzy Hash: 417d491aa8eadc4463ef93ef59f4ac9e9cfc72133d64f925486ca8625bfa4588
                                  • Instruction Fuzzy Hash: 5FF06D72650704ABD710EFA8D885E977BECEF04790740843AFA49CF211E775E8408794
                                  Function 0007B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs$fputc
                                  • String ID:
                                  • API String ID: 1185151155-0
                                  • Opcode ID: fae418525f15f8fc897811572cc9b5aac99f6794ef4116a6a2d8fc8a0c3df3a2
                                  • Instruction ID: 9ecec18551cd90e546bf1cacd3fa57e65089486ac823acd2c5c304bfc237e207
                                  • Opcode Fuzzy Hash: fae418525f15f8fc897811572cc9b5aac99f6794ef4116a6a2d8fc8a0c3df3a2
                                  • Instruction Fuzzy Hash: 93E0CD776051105FE6161744BC01DA437D5DFC5761329003FEA40D72616F2B3D156AA8
                                  Function 000D7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ErrorLast_beginthreadex
                                  • String ID:
                                  • API String ID: 4034172046-0
                                  • Opcode ID: 47dca45a552e5b9cb45bbd5af0432539971ddaa619145549098e1422aa8b935a
                                  • Instruction ID: 3c6311bf269bb592c4e413a528f0504c258d16b85a2f9907c30881aff5585339
                                  • Opcode Fuzzy Hash: 47dca45a552e5b9cb45bbd5af0432539971ddaa619145549098e1422aa8b935a
                                  • Instruction Fuzzy Hash: 75E08CB22083126AF3109B608C02FB772DCABA4B41F40887EFA49DA280F6608D00C3B5
                                  Function 00049C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32(?,?,00049C6E), ref: 00049C52
                                  • GetProcessAffinityMask.KERNEL32(00000000), ref: 00049C59
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: Process$AffinityCurrentMask
                                  • String ID:
                                  • API String ID: 1231390398-0
                                  • Opcode ID: 5fdf5a09f95fdbdb7096816b06f73719aaf2c1fda3a394f725a463376ea832c1
                                  • Instruction ID: d344e020fff0c668764179c8c717ae2387d7037c79732485ebbb47c8fb2015b2
                                  • Opcode Fuzzy Hash: 5fdf5a09f95fdbdb7096816b06f73719aaf2c1fda3a394f725a463376ea832c1
                                  • Instruction Fuzzy Hash: 82B092B2400280EBFE00DBA09D8CC167B2CAB446013004644F10ADA010C63BC0468B60
                                  Function 0004B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ErrorLastmemcpy
                                  • String ID:
                                  • API String ID: 2523627151-0
                                  • Opcode ID: f4af519f249330f4c3cd4d93c6f45f39bf2f58c8b1816e605e55a0b728772cac
                                  • Instruction ID: 9af76edc0c89eddbde0e5e3214dd53604e9132a5eb6ff55ae23d03b11b446b8a
                                  • Opcode Fuzzy Hash: f4af519f249330f4c3cd4d93c6f45f39bf2f58c8b1816e605e55a0b728772cac
                                  • Instruction Fuzzy Hash: D7813BB1A047059FDBB4CF25C980AAAB7F6BF84314F15893EE84687A40DB34F945CB58
                                  Function 00041E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionThrowmalloc
                                  • String ID:
                                  • API String ID: 2436765578-0
                                  • Opcode ID: 3f52c3ed4edb2af4a24051a9901799406e64a1ed601fab585718cdaa85317714
                                  • Instruction ID: 3f7d3c703f4498189ff61be1367209719893bb89a3c57e4beeee6920694944a3
                                  • Opcode Fuzzy Hash: 3f52c3ed4edb2af4a24051a9901799406e64a1ed601fab585718cdaa85317714
                                  • Instruction Fuzzy Hash: 25E08C3410028CAADF105FA1D844BE93BA85F01765F00D026FD189E202C370C7D18754
                                  Function 0008B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 363ab5cf75a166b67091d57bf69be98ba32755f154d52ecf2b6528184a661af8
                                  • Instruction ID: 9f56c7e06c529a72c5fd179a29a573747284965b135016d37f13e17634a101df
                                  • Opcode Fuzzy Hash: 363ab5cf75a166b67091d57bf69be98ba32755f154d52ecf2b6528184a661af8
                                  • Instruction Fuzzy Hash: 11529F30904249DFDF11DFA8C598BADBBF5BF49304F284099E885AB292DB74DE45CB21
                                  Function 00056305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 0ae237782e4aa7e1f7124d64ec2716e3ec16ce3c0d0f1504b77b0215d83a11a3
                                  • Instruction ID: 4bc3e9992a17acd0d6e3dc00874e2441237744e85fb6a46419005fd8859504c2
                                  • Opcode Fuzzy Hash: 0ae237782e4aa7e1f7124d64ec2716e3ec16ce3c0d0f1504b77b0215d83a11a3
                                  • Instruction Fuzzy Hash: F9F1AC70604B85DFCF61CF64C490AEBBBF1BF19305F94486EE89A97212D732A948CB51
                                  Function 000910D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 14e176c67b25c349caa4c6cfb6f7f77d0fad6c8d8253f9e30071570110d11138
                                  • Instruction ID: 9c2f6e1b37d6de62163a07c8d178d079e666dfd463d8c58d80a11830b94c415d
                                  • Opcode Fuzzy Hash: 14e176c67b25c349caa4c6cfb6f7f77d0fad6c8d8253f9e30071570110d11138
                                  • Instruction Fuzzy Hash: EED17870B00746AFDF68DFA4C880BEEBBF1BF18300F108529E595A7692D775A944DB90
                                  Function 0008CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0008CF96
                                    • Part of subcall function 00091511: __EH_prolog.LIBCMT ref: 00091516
                                    • Part of subcall function 00091511: _CxxThrowException.MSVCRT(?,000FD480), ref: 00091561
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrow
                                  • String ID:
                                  • API String ID: 2366012087-0
                                  • Opcode ID: 851e8e7028ebe1977790c339d6a0c6703f5b676c3b798bef21253570dee5437c
                                  • Instruction ID: 0b245d998471bf5ade137cdb1a325865f2d033e340a855827593d1eff0ab3554
                                  • Opcode Fuzzy Hash: 851e8e7028ebe1977790c339d6a0c6703f5b676c3b798bef21253570dee5437c
                                  • Instruction Fuzzy Hash: 74511D71904289DFCB11DFA8C888BAEBBF4BF49304F1444AEE49A97242C7759E45DF21
                                  Function 0007F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: a26b9da92d1f60924ab50cb63a815e57ea39a0da395de2137197bc0658a6e434
                                  • Instruction ID: 8f2302d947155b267b083a0672165e84fa22cb27f5a4c78bba481d15cc4fe732
                                  • Opcode Fuzzy Hash: a26b9da92d1f60924ab50cb63a815e57ea39a0da395de2137197bc0658a6e434
                                  • Instruction Fuzzy Hash: EE515874E00606CFCB64CFA8C4809BEBBF2FF49340B108969E596AB751D735A906CF94
                                  Function 0008AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: baebd38546865c5ed0381bdf716b4ab316470b4c175f9f6de6b518657dbf6e56
                                  • Instruction ID: 9c756fe511a01a3cd6c4a330f393fdb39d4bc7d063a83a40958ca475929ddb26
                                  • Opcode Fuzzy Hash: baebd38546865c5ed0381bdf716b4ab316470b4c175f9f6de6b518657dbf6e56
                                  • Instruction Fuzzy Hash: 63418E70A00756EFEB64DF54C484B6ABBE0BF56310F188A6ED49687A91C370ED81CB91
                                  Function 00054250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00054255
                                    • Part of subcall function 0005440B: __EH_prolog.LIBCMT ref: 00054410
                                    • Part of subcall function 00041E0C: malloc.MSVCRT ref: 00041E1F
                                    • Part of subcall function 00041E0C: _CxxThrowException.MSVCRT(?,000F4B28), ref: 00041E39
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrowmalloc
                                  • String ID:
                                  • API String ID: 3744649731-0
                                  • Opcode ID: aa05876ad48fc4b7cf96f5bb1897ccfaf9be2eaf501f6e82b7b7e2bd92612184
                                  • Instruction ID: 512b7385ce151105fd8e9d39125fb8267e394484bd60b2b7ecf330363b707c13
                                  • Opcode Fuzzy Hash: aa05876ad48fc4b7cf96f5bb1897ccfaf9be2eaf501f6e82b7b7e2bd92612184
                                  • Instruction Fuzzy Hash: 0D51D5B0801784CFC325DF6AC1846DAFBF0FF19304F5588AED49A9B652D7B4A648CB61
                                  Function 0006D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0006D0E6
                                    • Part of subcall function 00041E0C: malloc.MSVCRT ref: 00041E1F
                                    • Part of subcall function 00041E0C: _CxxThrowException.MSVCRT(?,000F4B28), ref: 00041E39
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ExceptionH_prologThrowmalloc
                                  • String ID:
                                  • API String ID: 3978722251-0
                                  • Opcode ID: 7cf8807ccf8572534c8249eebbec8be16d134e62d686b50359bb0123bc98da44
                                  • Instruction ID: b76f70d4f42c7c06ba2869afc3e3877edb43f52a2f4466155c4b8c6b002d61d8
                                  • Opcode Fuzzy Hash: 7cf8807ccf8572534c8249eebbec8be16d134e62d686b50359bb0123bc98da44
                                  • Instruction Fuzzy Hash: 5C419371F00255AFCB14DBA8C944BAEBBF5AF59310F24456AE446EB282C7B0DD44C790
                                  Function 00057FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00057FCA
                                    • Part of subcall function 0004950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0004952C
                                    • Part of subcall function 0004950D: _CxxThrowException.MSVCRT(00000000,000F55B8), ref: 0004954A
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AllocExceptionH_prologStringThrow
                                  • String ID:
                                  • API String ID: 1940201546-0
                                  • Opcode ID: 35fc255fef579063d1831a7c36696b358aa412226c9abab5e34557054f9c5a53
                                  • Instruction ID: 634dae1d81d80515f5e86a02819303903216da89b443b4ded9e6ceabdc071244
                                  • Opcode Fuzzy Hash: 35fc255fef579063d1831a7c36696b358aa412226c9abab5e34557054f9c5a53
                                  • Instruction Fuzzy Hash: 95318272810209DACFA8AF64C8519FF77B0FF14316F509029EC12B71A2DE359A0DD755
                                  Function 0007ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0007ADBC
                                    • Part of subcall function 0007AD29: __EH_prolog.LIBCMT ref: 0007AD2E
                                    • Part of subcall function 0007AF2D: __EH_prolog.LIBCMT ref: 0007AF32
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: a44216fa3fa520aa0fcebebb671b184396efbc5fee71fcd5f3694a752e940584
                                  • Instruction ID: 571a9d97a85f200d35df8a940c0d483f7b14c13d48a41b67f34eafef47550822
                                  • Opcode Fuzzy Hash: a44216fa3fa520aa0fcebebb671b184396efbc5fee71fcd5f3694a752e940584
                                  • Instruction Fuzzy Hash: 6741EA7154ABC0CEC326DF6981646CAFFE06F26200F84C99ED0EA43653D674A60CC76A
                                  Function 0006062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 1ed4ee6a3de1f171a515af3071f208ef5c6f223d6f1c0a902cbab16c27709133
                                  • Instruction ID: 4a49218dfbc9619ae4f6c9e63c21fe3b2751a7b401d255f5becd68b98d2e1be6
                                  • Opcode Fuzzy Hash: 1ed4ee6a3de1f171a515af3071f208ef5c6f223d6f1c0a902cbab16c27709133
                                  • Instruction Fuzzy Hash: 0931F8B0D40209DFCB14EF95C8A18EFBBB6FF95364B20851AE42667252D7309E01CBA0
                                  Function 000698F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 000698F7
                                    • Part of subcall function 00069987: __EH_prolog.LIBCMT ref: 0006998C
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 03b09755d2b2fde072721e92606ab5f2c2cdf6af31c3398734367d46f987de7f
                                  • Instruction ID: cdc6c2d8ee7260694e901dfa1aecb310d0ba283cd3501c8a2ddf7c2da65d55ac
                                  • Opcode Fuzzy Hash: 03b09755d2b2fde072721e92606ab5f2c2cdf6af31c3398734367d46f987de7f
                                  • Instruction Fuzzy Hash: 8F1179357002459FDB50CF69C884BAAB3BAFF89350F14891CE952DB6A1CB31E801CB20
                                  Function 0006021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0006021F
                                    • Part of subcall function 00053D66: __EH_prolog.LIBCMT ref: 00053D6B
                                    • Part of subcall function 00053D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053D7D
                                    • Part of subcall function 00053D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053D94
                                    • Part of subcall function 00053D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00053DB6
                                    • Part of subcall function 00053D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053DCB
                                    • Part of subcall function 00053D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053DD5
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                  • String ID:
                                  • API String ID: 1532160333-0
                                  • Opcode ID: bd84aa0f0a8bd1f722808404f9bb220f1680b9631cd479f035332bd8812c2d84
                                  • Instruction ID: 315241c5cba420cee8a3556da2d82486dbf219f5452d388c4ef4758694a66f86
                                  • Opcode Fuzzy Hash: bd84aa0f0a8bd1f722808404f9bb220f1680b9631cd479f035332bd8812c2d84
                                  • Instruction Fuzzy Hash: 232139B1846B90CFC321CF6A86D1686FFF4BB19604B94996FC0DA93B12C774A508CF55
                                  Function 00061C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00061C74
                                    • Part of subcall function 00046C72: __EH_prolog.LIBCMT ref: 00046C77
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: a29b3f71d94d59e80cbb9f0c2dfc8e7965036a553797cea967d2863cdc56b841
                                  • Instruction ID: b2d1f8605d4f6a8dfed3d2679c33c1a508622a1b68377b5a41de0d30dbd12ae6
                                  • Opcode Fuzzy Hash: a29b3f71d94d59e80cbb9f0c2dfc8e7965036a553797cea967d2863cdc56b841
                                  • Instruction Fuzzy Hash: 7011C4B1A002049BCF19FBD4C852BEDBBB6AF04365F044039E84273193DF615D46C698
                                  Function 00057E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00057E5F
                                    • Part of subcall function 00046C72: __EH_prolog.LIBCMT ref: 00046C77
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                    • Part of subcall function 0004757D: GetLastError.KERNEL32(0004F1DC,?,?,?,?,?,?,00000000,?,00000000), ref: 0004757D
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ErrorLastfree
                                  • String ID:
                                  • API String ID: 683690243-0
                                  • Opcode ID: d4801a2f7f0ec7e6375d7324559e7ee5350d3dcee3c0a38ccb185672010fbdfa
                                  • Instruction ID: 8a9aa9fec2c397b9de21e00bc862083bf4faa2096e69a18d8c3af9a256c08852
                                  • Opcode Fuzzy Hash: d4801a2f7f0ec7e6375d7324559e7ee5350d3dcee3c0a38ccb185672010fbdfa
                                  • Instruction Fuzzy Hash: 8501CE72A407009EC721AF64D8A29DBBBB1EF45310B00467EE88763692CA34690CCA54
                                  Function 0008BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0008BF91
                                    • Part of subcall function 0008D144: __EH_prolog.LIBCMT ref: 0008D149
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID:
                                  • API String ID: 2654054672-0
                                  • Opcode ID: e29059d342373c206852315f5220b24cfd68687ecaa7bde5d19d4a5fd2635019
                                  • Instruction ID: ca4dcde834d98a17d456db8341f50a80ca4a27c4baf8e0c47854050f58610994
                                  • Opcode Fuzzy Hash: e29059d342373c206852315f5220b24cfd68687ecaa7bde5d19d4a5fd2635019
                                  • Instruction Fuzzy Hash: EF1170B0500715DFC724EF64C905BDABBF5BF01344F108A2DE4AAA3693D7B5AA08DB94
                                  Function 0008BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0008BDBA
                                    • Part of subcall function 0008BE69: __EH_prolog.LIBCMT ref: 0008BE6E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: d54c976f0cbe90925c0f54d6f0884afeb02d261c999abfab07cdfcfe70e23f36
                                  • Instruction ID: 291b6a5bc0f017924965cb89ce31b7936ebb6f9af77c07c95da5227eac7b8c03
                                  • Opcode Fuzzy Hash: d54c976f0cbe90925c0f54d6f0884afeb02d261c999abfab07cdfcfe70e23f36
                                  • Instruction Fuzzy Hash: A111D4B0501789CFC720DF5AC5886D6FBE4BB19304F54C8AE90AA57712C7B4A548CB60
                                  Function 00047AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00041AD1,00000000,00000002,00000002,?,00047B3E,?,00000000), ref: 00047AFD
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: FileTime
                                  • String ID:
                                  • API String ID: 1425588814-0
                                  • Opcode ID: 1ec913af5c498005e7fa27d6acd6e866c9c896eb9e46b822fbab09262da174f3
                                  • Instruction ID: 24a854e81f07df6d1fbb1808d57b255469e4f92def4f0f34e9cc67c86d3fa253
                                  • Opcode Fuzzy Hash: 1ec913af5c498005e7fa27d6acd6e866c9c896eb9e46b822fbab09262da174f3
                                  • Instruction Fuzzy Hash: B9018FB0104289BFEF268F54CC05BEE3FE5DB05320F148159B9A9562E2C7619E61D754
                                  Function 0007ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0007C0B8
                                    • Part of subcall function 00067193: __EH_prolog.LIBCMT ref: 00067198
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID:
                                  • API String ID: 2654054672-0
                                  • Opcode ID: 702b904a258077eac8b30ab58bee996f0bb21b2ad2ffefbd41c8ab6d536c9fd1
                                  • Instruction ID: caf4023b48770aac724edc6ce37c0eafa62306fd53c8def8d28a4f1ea48ecf47
                                  • Opcode Fuzzy Hash: 702b904a258077eac8b30ab58bee996f0bb21b2ad2ffefbd41c8ab6d536c9fd1
                                  • Instruction Fuzzy Hash: DCF09672900311DBD7255B59D851BEEF3A9EF54760F10402FA50697602CBB59C5086D4
                                  Function 0008035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00080364
                                    • Part of subcall function 000801C4: __EH_prolog.LIBCMT ref: 000801C9
                                    • Part of subcall function 00080143: __EH_prolog.LIBCMT ref: 00080148
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                    • Part of subcall function 000803D8: __EH_prolog.LIBCMT ref: 000803DD
                                    • Part of subcall function 0008004A: __EH_prolog.LIBCMT ref: 0008004F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$free
                                  • String ID:
                                  • API String ID: 2654054672-0
                                  • Opcode ID: 7efcce91efead5e88b236fe15d112aec3f0cb4fe6d386e071e510c8c93f75b4c
                                  • Instruction ID: 138d8dc3ffbdda8b1137543e3edc5a803938f6fc6c0844ef7a15cf35cee345eb
                                  • Opcode Fuzzy Hash: 7efcce91efead5e88b236fe15d112aec3f0cb4fe6d386e071e510c8c93f75b4c
                                  • Instruction Fuzzy Hash: 33F0F471914B50DFDB19FB68C4263EDBBE5AF04314F10465DE496632D3CBB86B088748
                                  Function 00078565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 8b2a746f666abf18795738463a4b6f6ee81a8e63b9a7c3d02a270406ef367682
                                  • Instruction ID: 66f83fe1f721ef3c7dd209069429e62818a523fec5735ef60bb3c0afb1d0e1f2
                                  • Opcode Fuzzy Hash: 8b2a746f666abf18795738463a4b6f6ee81a8e63b9a7c3d02a270406ef367682
                                  • Instruction Fuzzy Hash: 34F0C272E0011AEBCB14DF98D8448EFBB74FF44750B00C16AF41AE7251CB388A01CB94
                                  Function 00085505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0008550A
                                    • Part of subcall function 00084E8A: __EH_prolog.LIBCMT ref: 00084E8F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: fb61515ec3a822010593435ac447c53d6b1a8ee33af55145e5a678aa24f8e9ab
                                  • Instruction ID: f27d2db1f7c52811c801af18f0d4257134fab524265e55aa788c59ab2fc92115
                                  • Opcode Fuzzy Hash: fb61515ec3a822010593435ac447c53d6b1a8ee33af55145e5a678aa24f8e9ab
                                  • Instruction Fuzzy Hash: BCF09B76600A15EFCB119F48D821BDE7BB9FF85361F10842AF44557341DB75DD008BA0
                                  Function 00069987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: ac00551fa78f7c338eea1686d41997e8757156b105e324d46996fdc6983dedef
                                  • Instruction ID: 0259fffa96e0e02d05521b1ea3b1392c64eb01678ee03f26e2071072e67a19be
                                  • Opcode Fuzzy Hash: ac00551fa78f7c338eea1686d41997e8757156b105e324d46996fdc6983dedef
                                  • Instruction Fuzzy Hash: 31E0ED76600204EFC714EF99D855F9EB7B8EB48364F10845AB44A97252C7759900CA64
                                  Function 00085E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00085E30
                                    • Part of subcall function 000808B6: __aulldiv.LIBCMT ref: 0008093F
                                    • Part of subcall function 0005DFC9: __EH_prolog.LIBCMT ref: 0005DFCE
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$__aulldiv
                                  • String ID:
                                  • API String ID: 604474441-0
                                  • Opcode ID: 76145a3f64903ad6891ebbfa1d4c8996d4a9054022eab87eaf75e8ee53053a46
                                  • Instruction ID: 3b977e9afddc50b71b1d15fe434b672450e50a19aa24a462f77fc75d2d38829b
                                  • Opcode Fuzzy Hash: 76145a3f64903ad6891ebbfa1d4c8996d4a9054022eab87eaf75e8ee53053a46
                                  • Instruction Fuzzy Hash: 7CE03971A10B50DFC795EBA8915129EB6E4BB08700F00486FA086D3B42DBB4A9048B90
                                  Function 00088ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00088ED6
                                    • Part of subcall function 00089267: __EH_prolog.LIBCMT ref: 0008926C
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 1d51186e4a5122081beb67fc1f6bd4c8c2356f9f7cbb8a1f0386bd8902bcad30
                                  • Instruction ID: 1038f523b896579cf7e07edd8d4c022d5b7c3caa081c39954839becc2554a805
                                  • Opcode Fuzzy Hash: 1d51186e4a5122081beb67fc1f6bd4c8c2356f9f7cbb8a1f0386bd8902bcad30
                                  • Instruction Fuzzy Hash: C9E09271910A649AC709FB64D522BEDB7A8FF04704F04465DA443A3683DFB86604C791
                                  Function 00047C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00047C8B
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 87ff5cb2ac565983c68e7bb9bf86f672852f5c4642d7ac90e7a1cfc9635396e0
                                  • Instruction ID: 289a2e408d3ae6070a29cd7f4027ddb4fbf8d11a637f41d2670023feae6dc448
                                  • Opcode Fuzzy Hash: 87ff5cb2ac565983c68e7bb9bf86f672852f5c4642d7ac90e7a1cfc9635396e0
                                  • Instruction Fuzzy Hash: 8BE06575600209FBCB00CFA1C800B8E7BB9AB09754F20C06AF808AA260C33A9A10DF04
                                  Function 0008BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0008BE6E
                                    • Part of subcall function 00085E2B: __EH_prolog.LIBCMT ref: 00085E30
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: 32d9c423155621917c2ae9df8f26b38dbdb6c399a2104f2b3c5ac8986fe46a2d
                                  • Instruction ID: 3d02d8fa9bd78700710485b361b276f664716cad5d9e07cd83a005888e3753aa
                                  • Opcode Fuzzy Hash: 32d9c423155621917c2ae9df8f26b38dbdb6c399a2104f2b3c5ac8986fe46a2d
                                  • Instruction Fuzzy Hash: D2E09271A24AA08BD315FB24C421BDDB7A8BB00704F00845FE4D6D3283CFB86A04C7A1
                                  Function 00042201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID:
                                  • API String ID: 1795875747-0
                                  • Opcode ID: 05de736f077299bc118ebb80f9ac277396312ea1384d2b8ef8fd79bda1f6fb5a
                                  • Instruction ID: 83ca457116855c7fac88f40f17d0b1fa7b43a96fd7afa0d62a45da4690a8d440
                                  • Opcode Fuzzy Hash: 05de736f077299bc118ebb80f9ac277396312ea1384d2b8ef8fd79bda1f6fb5a
                                  • Instruction Fuzzy Hash: 6CD01232504119ABDF156B94DC45CDD77BCEF08214700442AF941F2151EA75E5158794
                                  Function 0007F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0007F74A
                                    • Part of subcall function 0007F784: __EH_prolog.LIBCMT ref: 0007F789
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID:
                                  • API String ID: 3519838083-0
                                  • Opcode ID: ad71a987a8d9002bf76ddf3a539d04d4d2adb8561b45dec960a1abdb314997cc
                                  • Instruction ID: be4a5b7e1d11cea900252e680ec5d422fd72fda78daffd5897dcaf6bb63cb020
                                  • Opcode Fuzzy Hash: ad71a987a8d9002bf76ddf3a539d04d4d2adb8561b45dec960a1abdb314997cc
                                  • Instruction Fuzzy Hash: 33D01271A14245BFD7149B45DC17BEEB778EB40764F10452FF00571241C3B9590086A4
                                  Function 00047B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0004785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00047B65
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 396e3db5096b8d89fc320b327bc0074261a416935b6ecd2ee71b1550c1c47c11
                                  • Instruction ID: 2b396ad87d4b872bbe80db2fd846f96de688f68ed61c1c9979fbe989d53f2aa8
                                  • Opcode Fuzzy Hash: 396e3db5096b8d89fc320b327bc0074261a416935b6ecd2ee71b1550c1c47c11
                                  • Instruction Fuzzy Hash: 05E0EC75200308FBDF01CF90CC41F8E7BB9AB49754F208058E905AA160C376AA54EB50
                                  Function 000980AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 000980AF
                                    • Part of subcall function 00041E0C: malloc.MSVCRT ref: 00041E1F
                                    • Part of subcall function 00041E0C: _CxxThrowException.MSVCRT(?,000F4B28), ref: 00041E39
                                    • Part of subcall function 0008BDB5: __EH_prolog.LIBCMT ref: 0008BDBA
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$ExceptionThrowmalloc
                                  • String ID:
                                  • API String ID: 3744649731-0
                                  • Opcode ID: fe4b7a04d4577b7bcc1df5842d61da6a216369fe3805fa11a14dd6ac927c7242
                                  • Instruction ID: cc685135233f3e44c0315fca64d63e6785061f3885f4b641d4f0eab58b4d14d7
                                  • Opcode Fuzzy Hash: fe4b7a04d4577b7bcc1df5842d61da6a216369fe3805fa11a14dd6ac927c7242
                                  • Instruction Fuzzy Hash: 02D05B71B013016FDF48FFB494217AE76E0AB44300F00457EA016E37C2EF7499008714
                                  Function 00046848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindClose.KERNELBASE(00000000,?,00046880), ref: 00046853
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CloseFind
                                  • String ID:
                                  • API String ID: 1863332320-0
                                  • Opcode ID: 26932ae8403684968dfa90045ccd350e44a9ab21213104c6f336c4eb83308030
                                  • Instruction ID: 68886e4d3c8d4726e2378cfd596dd89cfb70cfa81e6f76a70f9034dc47368c4c
                                  • Opcode Fuzzy Hash: 26932ae8403684968dfa90045ccd350e44a9ab21213104c6f336c4eb83308030
                                  • Instruction Fuzzy Hash: 9FD01271104261469AA45E3DB8449C533D86F0773432107ADF0B0D71E1EB628C835654
                                  Function 00042010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID:
                                  • API String ID: 1795875747-0
                                  • Opcode ID: 7b6fadd025d9caef5697f6ab1838de59ba3e5022f91d9456dcb32a1e7385c27b
                                  • Instruction ID: 40a876a8c1ee6261341f17dec93c3438b716d56038827b23737bd437b98e0c8f
                                  • Opcode Fuzzy Hash: 7b6fadd025d9caef5697f6ab1838de59ba3e5022f91d9456dcb32a1e7385c27b
                                  • Instruction Fuzzy Hash: 2ED0C936108251AFA625AF05EC09C8BFBA5FFD5720721082FF880921619B626825DAA4
                                  Function 00041FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputc
                                  • String ID:
                                  • API String ID: 1992160199-0
                                  • Opcode ID: 92fb222aa752ab31ce4be870c892456897b3cfb79d8a58f88d02d7103c3747d1
                                  • Instruction ID: 6166970f2c6a8763ad8d1a6603e26c2b3cc70cba9c34ca546e734168a3b2ef32
                                  • Opcode Fuzzy Hash: 92fb222aa752ab31ce4be870c892456897b3cfb79d8a58f88d02d7103c3747d1
                                  • Instruction Fuzzy Hash: 9DB092323082209FF6181A9CBC0AAC06794DB0AB32B21009BF944D61909A921C824A95
                                  Function 00047C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetFileTime.KERNELBASE(?,00000000,00000000,00000000,00047C65,00000000,00000000,00000000,0004F238,?,00000000,?,00000000), ref: 00047C49
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: FileTime
                                  • String ID:
                                  • API String ID: 1425588814-0
                                  • Opcode ID: c71bcd8244e11e7f530b87b2c559252309519e5f7bb2ade3919d264c7116834f
                                  • Instruction ID: 6fdf7aafdb9811f7701e31560e5e28196ecfc9ef0f18c7cd58ef320a1c3eab58
                                  • Opcode Fuzzy Hash: c71bcd8244e11e7f530b87b2c559252309519e5f7bb2ade3919d264c7116834f
                                  • Instruction Fuzzy Hash: EDC04C36158105FF9F020F70CC45C1ABBA2ABA5711F10C958F159C4070C7338424EB02
                                  Function 00047D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • SetEndOfFile.KERNELBASE(?,00047D81,?,?,?), ref: 00047D3E
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: File
                                  • String ID:
                                  • API String ID: 749574446-0
                                  • Opcode ID: f93197be5818c56aa24759a5bdd605223e9ed46b58fb858db3ea4840b0e5f412
                                  • Instruction ID: a0e8b16c904c7bbcc21b076c898adf31a42571a3fb93d6dd11f1a35d4dffa2b2
                                  • Opcode Fuzzy Hash: f93197be5818c56aa24759a5bdd605223e9ed46b58fb858db3ea4840b0e5f412
                                  • Instruction Fuzzy Hash: 3EA002702E515B8FAF111F34DC49C243AA1BB53B0776027E9B013DE4F5DF27441AAA01
                                  Function 0004C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: memmove
                                  • String ID:
                                  • API String ID: 2162964266-0
                                  • Opcode ID: c1fdcb63615e31ac9a9518e1cf60e59d95794b21628541da39bacdcae6b7c150
                                  • Instruction ID: df4327348503cd7772e89cd7b7e055db963fcac62d6398f50e38889530be80dc
                                  • Opcode Fuzzy Hash: c1fdcb63615e31ac9a9518e1cf60e59d95794b21628541da39bacdcae6b7c150
                                  • Instruction Fuzzy Hash: 9E815CB1E056499FEFA4CFA8C484AEEBBF1AF48300F148479D511B7241D731AA80CF68
                                  Function 00053E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(00000000,00000000,00053D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00053E12
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: 52de29902d0fce44989303d08311c6cb68b708737370e820d68dad13402c03aa
                                  • Instruction ID: 9baf14d97cf20985af7cc259b71c06d7fb854de25d98961bfbb9c6ea177ee939
                                  • Opcode Fuzzy Hash: 52de29902d0fce44989303d08311c6cb68b708737370e820d68dad13402c03aa
                                  • Instruction Fuzzy Hash: 56D0123151421147EBB05E2CFC457D363DD6F11762B15449DFC90DB180E765CCD79A50
                                  Function 000C6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: malloc
                                  • String ID:
                                  • API String ID: 2803490479-0
                                  • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                  • Instruction ID: ef10b4bfa7f797ebd281aa9be0b01eaa470fd2f392454f5ced1f9de1775bf51a
                                  • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                                  • Instruction Fuzzy Hash: 59D012B161360626DFA84B304C4EF6F31D52F5035AF2C85BDE813CB292FB1ACA599258
                                  Function 0004764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • CloseHandle.KERNELBASE(00000000,?,000475AF,00000002,?,00000000,00000000), ref: 00047657
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CloseHandle
                                  • String ID:
                                  • API String ID: 2962429428-0
                                  • Opcode ID: b0883537a1144bd18b7fae584aa8c2eb4a1ab7b6c4e1ff2866ec2f9ef1db069c
                                  • Instruction ID: 967bfba4f1d398f411c97d99b1e3de52966c3b8bd1512ed88d5a46bdd94a4ce0
                                  • Opcode Fuzzy Hash: b0883537a1144bd18b7fae584aa8c2eb4a1ab7b6c4e1ff2866ec2f9ef1db069c
                                  • Instruction Fuzzy Hash: BBD01271108662469AA41E3C7845DC233DA5B2273436207A9F0B8D72E1D3618CC34654
                                  Function 000C6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAlloc.KERNELBASE(00000000), ref: 000C6B31
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 480d280c0f0656832209ad686b710bb63bc5dd0b4db6a30c09b59acb95695b28
                                  • Instruction ID: 76f4e3aecd444e6295ccfa24ee25c6282a75d09d59c4f9ec414ad28b983e52a1
                                  • Opcode Fuzzy Hash: 480d280c0f0656832209ad686b710bb63bc5dd0b4db6a30c09b59acb95695b28
                                  • Instruction Fuzzy Hash: B1C08CE1A4D280DFEF0213108C80B603B208B83700F0A00C1E8046B092C2091809CB22
                                  Function 000C69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: malloc
                                  • String ID:
                                  • API String ID: 2803490479-0
                                  • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                  • Instruction ID: 33b8df0ca538e42621d87682b2312cf6d868a1aad426efc00faeb85cf899798a
                                  • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                                  • Instruction Fuzzy Hash: 0BA012C551118101DD6C1230280196B20461B502077C444BD7403C0202F626C1041015
                                  Function 000C6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: malloc
                                  • String ID:
                                  • API String ID: 2803490479-0
                                  • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                  • Instruction ID: 8b9429303a0b56c376bf3e9246bb0dfcc273a248819b858391bdcf7c80626273
                                  • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                                  • Instruction Fuzzy Hash: B2A012CCE00141019D541174380196720532BE06057D8C478640240206FA15C0042013
                                  Function 000C6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 000C6BAC
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: FreeVirtual
                                  • String ID:
                                  • API String ID: 1263568516-0
                                  • Opcode ID: 0fc14f6dd974986a0308b2b2c0528b310294d9c06a30bec9679dbe6b62c7a43b
                                  • Instruction ID: 71967e81c784e651b8ec232f19241647a9927e7667cf8ebbeb3df3718199e085
                                  • Opcode Fuzzy Hash: 0fc14f6dd974986a0308b2b2c0528b310294d9c06a30bec9679dbe6b62c7a43b
                                  • Instruction Fuzzy Hash: A7A00278680740B7FD7067306D8FF5937247780F05F308544B2517D0D05AE971459E5C
                                  Function 000C69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: free
                                  • String ID:
                                  • API String ID: 1294909896-0
                                  • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                  • Instruction ID: bb88ae03a8bf767ad69100e788b921294d44599d7eb588a72454a02c671b0d6d
                                  • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                                  • Instruction Fuzzy Hash:
                                  Function 000C6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: free
                                  • String ID:
                                  • API String ID: 1294909896-0
                                  • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                  • Instruction ID: ce22cdabb80a78d553ab41b9b8e0083fa19b30c2ecc5a7f6d84c2689227c8f8d
                                  • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                                  • Instruction Fuzzy Hash:
                                  Function 00041E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: free
                                  • String ID:
                                  • API String ID: 1294909896-0
                                  • Opcode ID: 21aa6e56f180f126fa465266688ec664c1c7ba402bf0b1779787199be844be17
                                  • Instruction ID: 3abf8f720ab8f698efabbac7635eae067a02bc1eda25076b50a50ca0902b0296
                                  • Opcode Fuzzy Hash: 21aa6e56f180f126fa465266688ec664c1c7ba402bf0b1779787199be844be17
                                  • Instruction Fuzzy Hash: 85A00271505281DBFA051B10ED498897B61EF86A27B21449DF057644718B364861BA01

                                  Non-executed Functions

                                  Function 000E0090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: Version
                                  • String ID:
                                  • API String ID: 1889659487-0
                                  • Opcode ID: 1006f00eeaab5868fb482e65fbe03bd27f8ce9f642ad2df4f291d8637e818b06
                                  • Instruction ID: 57834dd197ed2553d012f6c1d14e9c12242d3934a784205dd80bfddce907b74f
                                  • Opcode Fuzzy Hash: 1006f00eeaab5868fb482e65fbe03bd27f8ce9f642ad2df4f291d8637e818b06
                                  • Instruction Fuzzy Hash: 77D012729114454BE744766DC84A29977A5F760300FC80954D865D1163F9AEC6D68292
                                  Function 0004C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,000F48A0,00000010), ref: 0004C09E
                                  • memcmp.MSVCRT(?,000F0258,00000010), ref: 0004C0BB
                                  • memcmp.MSVCRT(?,000F0348,00000010), ref: 0004C0CE
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: memcmp
                                  • String ID:
                                  • API String ID: 1475443563-0
                                  • Opcode ID: aae9f4485574d174c77453ba59bc9eb7917f9ea5258bd1da9fa7cdb2b21cee9c
                                  • Instruction ID: 520f3cefc48a48ae8bde9de9677e9874b1d89c926eaeee644008c5826df243f4
                                  • Opcode Fuzzy Hash: aae9f4485574d174c77453ba59bc9eb7917f9ea5258bd1da9fa7cdb2b21cee9c
                                  • Instruction Fuzzy Hash: 29916EB1641715ABE7A09E21DD41FBB33E8AF65711F008439FE4ADB602F760AE04C7A4
                                  Function 000A447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                                  • API String ID: 3519838083-1909666238
                                  • Opcode ID: fc963908e1185f92c11404e81a9705659f2cf34571a996f932b96304368dce5e
                                  • Instruction ID: 121b994bd099bf334178a32ac58d63da3a1914b864118f640470eee3115a4e3d
                                  • Opcode Fuzzy Hash: fc963908e1185f92c11404e81a9705659f2cf34571a996f932b96304368dce5e
                                  • Instruction Fuzzy Hash: 51C100799046899FCB24DFE4D451AFE7BB1AF83300F5A80B9E0496B123DBB49E45DB40
                                  Function 000464F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 000464F8
                                  • GetCurrentThreadId.KERNEL32 ref: 00046508
                                  • GetTickCount.KERNEL32 ref: 00046513
                                  • GetCurrentProcessId.KERNEL32(?,00000000), ref: 0004651E
                                  • GetTickCount.KERNEL32 ref: 00046578
                                  • SetLastError.KERNEL32(000000B7,?,?,?,00000000), ref: 000465C5
                                  • GetLastError.KERNEL32(?,?,?,00000000), ref: 000465EC
                                    • Part of subcall function 00045D7A: __EH_prolog.LIBCMT ref: 00045D7F
                                    • Part of subcall function 00045D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00045DA1
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                                  • String ID: .tmp$d
                                  • API String ID: 1989517917-2797371523
                                  • Opcode ID: b29eacf981abf9cfb6268d0db0f6fb72bac4b703345ac3a14b984e6e85eaec24
                                  • Instruction ID: 78297f29ea243fa3f975f66a3560b375828891efe180f6bd91c5d9450b4ffa79
                                  • Opcode Fuzzy Hash: b29eacf981abf9cfb6268d0db0f6fb72bac4b703345ac3a14b984e6e85eaec24
                                  • Instruction Fuzzy Hash: 1E4116B29101549FEF15AFA4D8557ED77B0FF16314F140139F802BB1A2DB3A8941CB1A
                                  Function 000785C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                                  • API String ID: 1795875747-657955069
                                  • Opcode ID: 454bfb956c331cb0e3bb69cf64f9c53126f025d612f54407169987f2ee4a6eb3
                                  • Instruction ID: cf252c7097aaf269b305d3cfde8dfadd0fdc9cab9056cec2826f5f7edbd576eb
                                  • Opcode Fuzzy Hash: 454bfb956c331cb0e3bb69cf64f9c53126f025d612f54407169987f2ee4a6eb3
                                  • Instruction Fuzzy Hash: A6F02732B041493FCA102792AC84D7EFF5ADFC63A0B240037FA0467282EF6618618FA5
                                  Function 00076244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prologfputs
                                  • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                  • API String ID: 1798449854-1259944392
                                  • Opcode ID: 919e233a8209fabe3e97ec6e8961a3d01297759a532d3fe757f9f05c026570b3
                                  • Instruction ID: 6d23ccc6b28305291857d7ce5afeb707983e71a87c9d8b7cf2fb3bfb3a3e3460
                                  • Opcode Fuzzy Hash: 919e233a8209fabe3e97ec6e8961a3d01297759a532d3fe757f9f05c026570b3
                                  • Instruction Fuzzy Hash: 28218071E009459FCB14EB95C542AFEB3A4EF54310B00803AF546E76A3DB79AD46CB88
                                  Function 0004A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0004A091
                                    • Part of subcall function 00049BAA: RegCloseKey.ADVAPI32(?,?,00049BA0), ref: 00049BB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CloseH_prolog
                                  • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                                  • API String ID: 1579395594-270022386
                                  • Opcode ID: 3868132b22334fb8566e99bef6a2d22aefce54ae1ce66375b11458e7ff534cf5
                                  • Instruction ID: 636ae781694b85fe3850805fdce1df09c53f768d3d97eb69c7d3fb08fe9c83a1
                                  • Opcode Fuzzy Hash: 3868132b22334fb8566e99bef6a2d22aefce54ae1ce66375b11458e7ff534cf5
                                  • Instruction Fuzzy Hash: D951B1B1B412459FCF10EF99C8929EEB7B4BF59300F40843EE552A7252DB709A05CB55
                                  Function 0007463D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00074642
                                  • EnterCriticalSection.KERNEL32(00102918), ref: 00074656
                                  • LeaveCriticalSection.KERNEL32(00102918), ref: 00074685
                                  • LeaveCriticalSection.KERNEL32(00102918), ref: 000746C5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CriticalSection$Leave$EnterH_prolog
                                  • String ID: v
                                  • API String ID: 2532973370-3261393531
                                  • Opcode ID: d4b7041c977bff25dacae2d1fc44e714cb861a34a3a8ed4bf27ffbf9a0f8d543
                                  • Instruction ID: d5e25872c6802d56fed0a514ef9ff6c3e7671d3f7deeb207171bb295054a84b6
                                  • Opcode Fuzzy Hash: d4b7041c977bff25dacae2d1fc44e714cb861a34a3a8ed4bf27ffbf9a0f8d543
                                  • Instruction Fuzzy Hash: EB114C75A00211AFD714DF15C8C896EB7E9FF8A724B10C22DE81ADB700C778ED058B91
                                  Function 000A03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                                  Download Yara Rule
                                  APIs
                                  • memset.MSVCRT ref: 000A03F5
                                  • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 000A0490
                                  • memset.MSVCRT ref: 000A0618
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: memset$memcpy
                                  • String ID: $@
                                  • API String ID: 368790112-1077428164
                                  • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                  • Instruction ID: 6a2706e7be575684d09ca3a4fc9f352b21c9b2c5bef984ea68b4ed9b46e0688a
                                  • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                                  • Instruction Fuzzy Hash: 1291F33090070DAFEF60DFA4C841BDAB7B1BF56304F008459E59A57192DB70BA98CF90
                                  Function 0004613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00046141
                                    • Part of subcall function 00046C72: __EH_prolog.LIBCMT ref: 00046C77
                                  • SetLastError.KERNEL32(0000010B,00000000,00000000,00000000), ref: 00046197
                                  • GetLastError.KERNEL32(?,00000000,00000002,0000005C,?,00000000,00000000,00000000), ref: 0004626E
                                  • SetLastError.KERNEL32(?,00000000,?,00000000,00000002,0000005C,?,00000000,00000000,00000000), ref: 000462A9
                                    • Part of subcall function 00046096: __EH_prolog.LIBCMT ref: 0004609B
                                    • Part of subcall function 00046096: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,00000000,?,00000000), ref: 000460DF
                                  • GetLastError.KERNEL32(?,00000000,00000002,0000005C,?,00000000,00000000,00000000), ref: 00046285
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ErrorLast$H_prolog$DeleteFile
                                  • String ID:
                                  • API String ID: 3586524497-0
                                  • Opcode ID: 704e173d3c506ca0ecc8d30b7c8405a99400c15b5ce6f485e06edd715052e8b9
                                  • Instruction ID: 87406bb07c542803dae323ac78f68757530a10151a0463d594259868b5049ff8
                                  • Opcode Fuzzy Hash: 704e173d3c506ca0ecc8d30b7c8405a99400c15b5ce6f485e06edd715052e8b9
                                  • Instruction Fuzzy Hash: 7951D1B1C04218EADF15EBE4D951BEDBBB4AF12340F104179E84173193EF761A4ACB5A
                                  Function 000544C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,000F48A0,00000010), ref: 000544DB
                                  • memcmp.MSVCRT(?,000F0128,00000010), ref: 000544EE
                                  • memcmp.MSVCRT(?,000F0228,00000010), ref: 0005450B
                                  • memcmp.MSVCRT(?,000F0248,00000010), ref: 00054528
                                  • memcmp.MSVCRT(?,000F01C8,00000010), ref: 00054545
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: memcmp
                                  • String ID:
                                  • API String ID: 1475443563-0
                                  • Opcode ID: 36d9d30be95b15fc250bd2fd41c4b690e78bf9157919eabf12633dae65223129
                                  • Instruction ID: ae446660456f980b0e0bd4d918d49580d4fdf9d64148e6c368ace133d2a5e3b1
                                  • Opcode Fuzzy Hash: 36d9d30be95b15fc250bd2fd41c4b690e78bf9157919eabf12633dae65223129
                                  • Instruction Fuzzy Hash: 6A2192727402096BE7148E20DC81FFF33EC9B507AAF008139FE069B247F664DE4896A0
                                  Function 0008C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: !$LZMA2:$LZMA:
                                  • API String ID: 3519838083-3332058968
                                  • Opcode ID: 621962103c7a64b278e7b3574cdd475bda7f83f4e648b7bcc9098158a0fb4681
                                  • Instruction ID: 484127b6183ecc393e34a1649aba516ac6c2503b8b948615cadf8614f9ab6713
                                  • Opcode Fuzzy Hash: 621962103c7a64b278e7b3574cdd475bda7f83f4e648b7bcc9098158a0fb4681
                                  • Instruction Fuzzy Hash: BE61DE7090014AAEEF25EB64C559FFD7BF1BF15344F2840B9E48667162EB70AE80C760
                                  Function 0004A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0004A389
                                    • Part of subcall function 0004A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0004A3C1,00000001), ref: 0004A4CD
                                    • Part of subcall function 0004A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0004A4DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AddressH_prologHandleModuleProc
                                  • String ID: : $ SP:$Windows
                                  • API String ID: 786088110-3655538264
                                  • Opcode ID: abb6b33c429027ec53a1e66e4ab2adcb89f84230d7741d1f1092ab57d27c9230
                                  • Instruction ID: 322504aac9be99f78ac03e649818a8bac15bee13d4b29d1e8dc07b1e66616f3f
                                  • Opcode Fuzzy Hash: abb6b33c429027ec53a1e66e4ab2adcb89f84230d7741d1f1092ab57d27c9230
                                  • Instruction Fuzzy Hash: DE313EB1E012199ACF15FBA1C8529EEBBB4BF58300F8004B9F50273192DF711E85CBA9
                                  Function 00076025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0007602A
                                  • EnterCriticalSection.KERNEL32(00102938), ref: 00076044
                                  • LeaveCriticalSection.KERNEL32(00102938), ref: 00076060
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: CriticalSection$EnterH_prologLeave
                                  • String ID: v
                                  • API String ID: 367238759-3261393531
                                  • Opcode ID: 9d8b413d2a881fb21318eb0dc7714d0b928379ccc8992522c1ce55c1f414247b
                                  • Instruction ID: bae7dcab66b596a777f853b1f2a32b422597da43e414d2a4b4e14e2429b9960a
                                  • Opcode Fuzzy Hash: 9d8b413d2a881fb21318eb0dc7714d0b928379ccc8992522c1ce55c1f414247b
                                  • Instruction Fuzzy Hash: D3F03A36900254EFD701DF98D949EDEBBB8FF45364F14806AF406AB211C7B99A00CBA0
                                  Function 0004A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,0004A3C1,00000001), ref: 0004A4CD
                                  • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0004A4DD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: AddressHandleModuleProc
                                  • String ID: RtlGetVersion$ntdll.dll
                                  • API String ID: 1646373207-1489217083
                                  • Opcode ID: 8242e7b2bf47a08218dda848d14a18427f85a2597e5cdaf753065757ac13b70b
                                  • Instruction ID: bea7ee9d984a1642376bb60c673bc14588250eebc6ed670b67189056e9d45549
                                  • Opcode Fuzzy Hash: 8242e7b2bf47a08218dda848d14a18427f85a2597e5cdaf753065757ac13b70b
                                  • Instruction Fuzzy Hash: 8DD0A7B23557501EF67066B53C4EFEB128C9BC2F5070544A2F900E8040E6C99DC300A5
                                  Function 00060306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00060359
                                  • GetLastError.KERNEL32(?,?,00000000,?), ref: 00060382
                                  • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 000603DA
                                  • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 000603F0
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ErrorFileLastSecurity
                                  • String ID:
                                  • API String ID: 555121230-0
                                  • Opcode ID: 1bdf2d891437b26eb8834a1445bcac157182a7c757cfa73f89d09fbb54bb0796
                                  • Instruction ID: 2aa76cd4daccc8e36285acdeebda385ead1019180bcd10d6f217ce48de19e8ea
                                  • Opcode Fuzzy Hash: 1bdf2d891437b26eb8834a1445bcac157182a7c757cfa73f89d09fbb54bb0796
                                  • Instruction Fuzzy Hash: 79315770A4021AEFDB10DFA4C880BAFBBBAFB44305F108959E466A7351D770AE41DB60
                                  Function 000482FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 00048300
                                  • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0004834F
                                  • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0004837C
                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0004839B
                                    • Part of subcall function 00041E40: free.MSVCRT ref: 00041E44
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                                  • String ID:
                                  • API String ID: 1689166341-0
                                  • Opcode ID: c618fdd69de15580549780a85e319dc16367d86dac64183e2d97f04acdf81ff7
                                  • Instruction ID: 836489284987605bfdf53a1cc38c5d1a4f5ebae8d8958d4570045a4233d77d9e
                                  • Opcode Fuzzy Hash: c618fdd69de15580549780a85e319dc16367d86dac64183e2d97f04acdf81ff7
                                  • Instruction Fuzzy Hash: 9D21C1B2900204AFDF209F94DC81AEE7BF9EB85750F10403EF945A6242CB314E44C768
                                  Function 000860D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: BlockPackSize$BlockUnpackSize
                                  • API String ID: 3519838083-5494122
                                  • Opcode ID: 6a6499be9a030e959adaadad71e089a8bac005a43684a45d5473dd603772c63d
                                  • Instruction ID: a820a4e699a3e431016ac6eed64a9295f58c1c9adceb38ac3f83e7b897bc46df
                                  • Opcode Fuzzy Hash: 6a6499be9a030e959adaadad71e089a8bac005a43684a45d5473dd603772c63d
                                  • Instruction Fuzzy Hash: D551E671800A849ECF79EBA488A1AFD7BE1BF26310F1A40AED1D6531A2D7235988D701
                                  Function 0004A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                                  Download Yara Rule
                                  APIs
                                  • __EH_prolog.LIBCMT ref: 0004A4F8
                                    • Part of subcall function 0004A384: __EH_prolog.LIBCMT ref: 0004A389
                                    • Part of subcall function 00049E14: GetSystemInfo.KERNEL32(?), ref: 00049E36
                                    • Part of subcall function 00049E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00049E50
                                    • Part of subcall function 00049E14: GetProcAddress.KERNEL32(00000000), ref: 00049E57
                                  • strcmp.MSVCRT ref: 0004A564
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                                  • String ID: -
                                  • API String ID: 2798778560-3695764949
                                  • Opcode ID: 46f2b3b2c4e22024f0f4f9dc59bfd7ddc1132069a6d5713d3635287d5830294c
                                  • Instruction ID: f5499667664ac3afb111227cfb1687b5930343f3e5fd5b3f0605b205cec65fdb
                                  • Opcode Fuzzy Hash: 46f2b3b2c4e22024f0f4f9dc59bfd7ddc1132069a6d5713d3635287d5830294c
                                  • Instruction Fuzzy Hash: D53158B1E01219ABCF19FBE0D9529EDB7B5AF54310F90403AF40272193DF345A45CA6A
                                  Function 00076184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: H_prolog
                                  • String ID: 0$x
                                  • API String ID: 3519838083-1948001322
                                  • Opcode ID: 74c1a686b453f53ea2d4dadb1cc50f43debcc302ebe5144f1bd345822121ec74
                                  • Instruction ID: c56875a8350eec6f8b13504aae9bee7f2094d550546b1c156091e22e1f55fc0e
                                  • Opcode Fuzzy Hash: 74c1a686b453f53ea2d4dadb1cc50f43debcc302ebe5144f1bd345822121ec74
                                  • Instruction Fuzzy Hash: 27216D76E0111A9BCF09EB98D995AEDB7B5FF48304F54002AE90277242DF795E04CBA8
                                  Function 00078685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • Cannot open the file as archive, xrefs: 000786D0
                                  • Cannot open encrypted archive. Wrong password?, xrefs: 00078698
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                                  • API String ID: 1795875747-1623556331
                                  • Opcode ID: 3c244a046569caddf3f430c71c25232dac2a89a87041000251627d0d49ad923e
                                  • Instruction ID: e02bf18f0e4ae751a1ddf436841776131d0bbb213f848327a428f2f3e0da636d
                                  • Opcode Fuzzy Hash: 3c244a046569caddf3f430c71c25232dac2a89a87041000251627d0d49ad923e
                                  • Instruction Fuzzy Hash: A301D6317402006FDA14E654D499EBEB3E7AFC8340F54C43EF60A87686DF78A8429B29
                                  Function 000782DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: fputs
                                  • String ID: =
                                  • API String ID: 1795875747-2525689732
                                  • Opcode ID: 993601bd6819a1682dc5ec9566035ee003e7dcc87deafa2476543d100dadcd99
                                  • Instruction ID: c6d4c15d808340f99ac5441458951220567741e015bc615815bbb6a0fa9b4b65
                                  • Opcode Fuzzy Hash: 993601bd6819a1682dc5ec9566035ee003e7dcc87deafa2476543d100dadcd99
                                  • Instruction Fuzzy Hash: 2AE0D831E001559BEB00B7ED9C85CFE7B39EBC07547004826E910DB202EA759911CBD4
                                  Function 000A41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                                  Download Yara Rule
                                  APIs
                                  • memcmp.MSVCRT(?,000F48A0,00000010), ref: 000A41D6
                                  • memcmp.MSVCRT(?,000F0168,00000010), ref: 000A41F1
                                  • memcmp.MSVCRT(?,000F01E8,00000010), ref: 000A4205
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.1693352575.0000000000041000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00040000, based on PE: true
                                  • Associated: 00000009.00000002.1693320569.0000000000040000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693457329.00000000000EC000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693478950.0000000000102000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                  • Associated: 00000009.00000002.1693507161.000000000010B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_40000_7zr.jbxd
                                  Similarity
                                  • API ID: memcmp
                                  • String ID:
                                  • API String ID: 1475443563-0
                                  • Opcode ID: 3f33fa6d388fbd6716bdea0d2030f3c341cf60eb5242984ad90863dc92cd3459
                                  • Instruction ID: fb64a92f0226874499ae24698c13893b3e2151c686cf3caa539103e11252c01f
                                  • Opcode Fuzzy Hash: 3f33fa6d388fbd6716bdea0d2030f3c341cf60eb5242984ad90863dc92cd3459
                                  • Instruction Fuzzy Hash: 5F01A13535030A67D7104B54CC42FBE73E49BA6751F048439FF469F282F6B4AA509750