Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
renamed because original name is a hash value
Original sample name:_1.1.0.exe
Analysis ID:1580549
MD5:cc4c53c634a350d8040888ff38df9e20
SHA1:1f3af1bab4b2e172c59fe165169976c20028a4fa
SHA256:13ded7ac74245dd01f80304bb56bb9f9480e20bf4a5166ed1287f5cd22f53f6a
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" MD5: CC4C53C634A350D8040888FF38DF9E20)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp (PID: 6980 cmdline: "C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" MD5: 6B62BAE0EB64E164C7CA6E4C80727D80)
      • powershell.exe (PID: 7056 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7132 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe (PID: 3020 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT MD5: CC4C53C634A350D8040888FF38DF9E20)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp (PID: 6688 cmdline: "C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$402A0,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT MD5: 6B62BAE0EB64E164C7CA6E4C80727D80)
          • 7zr.exe (PID: 6360 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 6380 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1612 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6232 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5264 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3548 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1544 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6952 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5288 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6188 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5888 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5180 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2668 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6984 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5888 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6188 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5348 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5052 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6360 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2944 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3548 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4632 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 4908 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7008 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5828 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7136 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2944 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5304 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2896 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3468 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 4888 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6260 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6024 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5780 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7152 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ParentProcessId: 6980, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7056, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1612, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6232, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ParentProcessId: 6980, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7056, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1612, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6232, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ParentProcessId: 6980, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7056, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeReversingLabs: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeVirustotal: Detection: 8%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.0% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1816300424.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1815993490.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BE9E090 FindFirstFileA,FindClose,FindClose,6_2_6BE9E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_007F6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_007F7496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vbc.6.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694009644.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694444087.000000007EECB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1695887889.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000000.1785885937.0000000000ABD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694009644.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694444087.000000007EECB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1695887889.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000000.1785885937.0000000000ABD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD23886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD23886
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEA8810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,6_2_6BEA8810
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD23A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD23A6A
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD239CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD239CF
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD23D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD23D62
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD23D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD23D18
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD23C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,6_2_6BD23C62
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEA9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6BEA9450
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD21950: CreateFileA,DeviceIoControl,CloseHandle,6_2_6BD21950
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD24754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,6_2_6BD24754
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD247546_2_6BD24754
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6C088D126_2_6C088D12
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BFB7A466_2_6BFB7A46
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEAA1336_2_6BEAA133
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEA48606_2_6BEA4860
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6C07B06F6_2_6C07B06F
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6C0138816_2_6C013881
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BFF4F0A6_2_6BFF4F0A
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6C02CB306_2_6C02CB30
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEE3BCA6_2_6BEE3BCA
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEF3B666_2_6BEF3B66
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF50AD06_2_6BF50AD0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF54AA06_2_6BF54AA0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF67AA06_2_6BF67AA0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF52A506_2_6BF52A50
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF5C9F06_2_6BF5C9F0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEDB9726_2_6BEDB972
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF6D9306_2_6BF6D930
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF518106_2_6BF51810
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEF5EC96_2_6BEF5EC9
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEDBEA16_2_6BEDBEA1
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF5CE806_2_6BF5CE80
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF56D506_2_6BF56D50
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF09CE06_2_6BF09CE0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF530206_2_6BF53020
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEDF7CF6_2_6BEDF7CF
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF7C7006_2_6BF7C700
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF5C6E06_2_6BF5C6E0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF625C06_2_6BF625C0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF555806_2_6BF55580
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEF840A6_2_6BEF840A
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF667506_2_6BF66750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008381EC10_2_008381EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0080E00A10_2_0080E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008781C010_2_008781C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008722E010_2_008722E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088824010_2_00888240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088C3C010_2_0088C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0089230010_2_00892300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085E49F10_2_0085E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008804C810_2_008804C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008725F010_2_008725F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086A6A010_2_0086A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008666D010_2_008666D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086865010_2_00868650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088E99010_2_0088E990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084094310_2_00840943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086C95010_2_0086C950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00872A8010_2_00872A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084AB1110_2_0084AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00876CE010_2_00876CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00868C2010_2_00868C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00884EA010_2_00884EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00880E0010_2_00880E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0087D08910_2_0087D089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008510AC10_2_008510AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086B18010_2_0086B180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0087518010_2_00875180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008891C010_2_008891C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086D1D010_2_0086D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0085B12110_2_0085B121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088112010_2_00881120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088D2C010_2_0088D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088720010_2_00887200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0087F3A010_2_0087F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088F3C010_2_0088F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0081B3E410_2_0081B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008553F310_2_008553F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F53CF10_2_007F53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0083D49610_2_0083D496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008854D010_2_008854D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086741010_2_00867410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0087F42010_2_0087F420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088D47010_2_0088D470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F157210_2_007F1572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088F59910_2_0088F599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086F50010_2_0086F500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0089351A10_2_0089351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088353010_2_00883530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088155010_2_00881550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0087D6A010_2_0087D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0089360110_2_00893601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0084965210_2_00849652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008877C010_2_008877C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F97CA10_2_007F97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0080976610_2_00809766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0081F8E010_2_0081F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088D9E010_2_0088D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086F91010_2_0086F910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0080BAC910_2_0080BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00843AEF10_2_00843AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00877AF010_2_00877AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F1AA110_2_007F1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0080BC9210_2_0080BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00877C5010_2_00877C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0086FDF010_2_0086FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00875E8010_2_00875E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00875F8010_2_00875F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: String function: 6BF79F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: String function: 6BEDC240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 007F1E40 appears 82 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 0088FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 007F28E3 appears 34 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694009644.00000000034DE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694444087.000000007F1CA000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000000.1692369298.0000000000459000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeBinary or memory string: OriginalFileNamek9O8L14lorRoI.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.drBinary string: \Device\TfSysMon
Source: tProtect.dll.12.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@130/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEA9450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,6_2_6BEA9450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,10_2_007F9313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00803D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00803D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,10_2_007F9252
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEA8930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,6_2_6BEA8930
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\is-VBI2U.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5768:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4632:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6188:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7056:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6288:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeReversingLabs: Detection: 13%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeVirustotal: Detection: 8%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$402A0,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$402A0,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic file information: File size 6351526 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1816300424.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1815993490.0000000003AD0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_008757D0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x3437f2
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x3437f2
Source: update.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: real checksum: 0x0 should be: 0x61b208
Source: hrsw.vbc.6.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: tProtect.dll.12.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drStatic PE information: section name: .didata
Source: 7zr.exe.6.drStatic PE information: section name: .sxdata
Source: update.vbc.6.drStatic PE information: section name: .00cfg
Source: update.vbc.6.drStatic PE information: section name: .voltbl
Source: update.vbc.6.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.6.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.6.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD50F00 push ss; retn 0001h6_2_6BD50F0A
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEABDDB push ecx; ret 6_2_6BEABDEE
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEDE9F4 push 004AC35Ch; ret 6_2_6BEDEA0E
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF79F10 push eax; ret 6_2_6BF79F2E
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF7A290 push eax; ret 6_2_6BF7A2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F45F4 push 0089C35Ch; ret 10_2_007F460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088FB10 push eax; ret 10_2_0088FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_0088FE90 push eax; ret 10_2_0088FEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.6.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6373Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3401Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow / User API: threadDelayed 653Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow / User API: threadDelayed 594Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpWindow / User API: threadDelayed 592Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.5 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5768Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BE9E090 FindFirstFileA,FindClose,FindClose,6_2_6BE9E090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,10_2_007F6868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,10_2_007F7496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007F9C60 GetSystemInfo,10_2_007F9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000002.1798579360.00000000013EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\7
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000002.1798579360.00000000013EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}K
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000003.1783015060.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, is-VBI2U.tmp.6.drBinary or memory string: (qeMu
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BD23886 NtSetInformationThread 00000000,00000011,00000000,000000006_2_6BD23886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEB3871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6BEB3871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_008757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,10_2_008757D0
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEB286D mov eax, dword ptr fs:[00000030h]6_2_6BEB286D
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEBD456 mov eax, dword ptr fs:[00000030h]6_2_6BEBD456
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEBD425 mov eax, dword ptr fs:[00000030h]6_2_6BEBD425
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEAC3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6BEAC3AD
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BEB3871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6BEB3871

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmpCode function: 6_2_6BF7A720 cpuid 6_2_6BF7A720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_007FAB2A GetSystemTimeAsFileTime,10_2_007FAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 10_2_00890090 GetVersion,10_2_00890090
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\sc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
Windows Management Instrumentation		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory441
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		Logon Script (Windows)111
Process Injection		241
Virtualization/Sandbox Evasion		Security Account Manager241
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Native API		Login Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem45
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580549 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 90 Multi AV Scanner detection for dropped file 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 Found driver which could be used to inject code into processes 2->94 96 3 other signatures 2->96 10 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 31 other processes 2->17 process3 file4 86 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, PE32 10->86 dropped 19 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 27 other processes 17->33 process5 file6 72 C:\Users\user\AppData\Local\...\update.vbc, PE32 19->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->74 dropped 98 Adds a directory exclusion to Windows Defender 19->98 35 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 26 other processes 33->53 signatures7 process8 file9 76 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, PE32 35->76 dropped 55 #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp 4 15 35->55         started        100 Loading BitLocker PowerShell Module 38->100 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        signatures10 process11 file12 78 C:\Users\user\AppData\Local\...\update.vbc, PE32 55->78 dropped 80 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 55->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->82 dropped 84 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 55->84 dropped 102 Query firmware table information (likely to detect VMs) 55->102 104 Protects its processes via BreakOnTermination flag 55->104 106 Hides threads from debuggers 55->106 108 Contains functionality to hide a thread from the debugger 55->108 63 7zr.exe 2 55->63         started        66 7zr.exe 7 55->66         started        signatures13 process14 file15 88 C:\Program Files (x86)\...\tProtect.dll, PE32+ 63->88 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        process16

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe13%ReversingLabsWin32.Ransomware.Generic
#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe8%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
217.20.58.100
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exefalse
      		high
      https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694009644.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694444087.000000007EECB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1695887889.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000000.1785885937.0000000000ABD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drfalse
        		high
        https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694009644.00000000033C0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, 00000000.00000003.1694444087.000000007EECB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000001.00000000.1695887889.0000000000BE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp, 00000006.00000000.1785885937.0000000000ABD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.0.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp.5.drfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1580549
          Start date and time:2024-12-25 04:37:56 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 10m 0s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Run name:Run with higher sleep bypass
          Number of analysed new started processes analysed:110
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Critical Process Termination
          Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
          renamed because original name is a hash value
          Original Sample Name:_1.1.0.exe
          Detection:MAL
          Classification:mal96.evad.winEXE@130/31@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 74%
          • Number of executed functions: 121
          • Number of non-executed functions: 103
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

          Warnings

          • Exclude process from analysis (whitelisted): Conhost.exe, SIHClient.exe
          • Excluded IPs from analysis (whitelisted): 20.109.210.53, 40.69.42.241
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comwUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
          • 217.20.58.101
          #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          AxoPac.exeGet hashmaliciousLummaCBrowse
          • 217.20.58.100
          [External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.emlGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          PLEASE SIGN THIS DOCUMENT - Reference number(s) 0598190575 DPR.msgGet hashmaliciousUnknownBrowse
          • 217.20.58.101
          lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
          • 217.20.58.100
          uDTW3VjJJT.exeGet hashmaliciousLummaC, StealcBrowse
          • 217.20.58.99
          data.exeGet hashmaliciousUnknownBrowse
          • 217.20.58.99
          4hSuRTwnWJ.dllGet hashmaliciousUnknownBrowse
          • 217.20.58.100

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.5.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.3.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1479328
                            Entropy (8bit):7.999879236620477
                            Encrypted:true
                            SSDEEP:24576:dpVUk7xQQd/X6U3yXEVuw7AmG+slCUCZsuuAnvToXr6RiZJHMYOkRQ7Www/Pg9I4:dF73X6Ir37AmTUClZ9bjxYO1wXg9DmMn
                            MD5:03F04576ABD49BE131EC6BB04C97E830
                            SHA1:5EC5F38B2E9664EE853C9B9E08D95D1EF006EE0D
                            SHA-256:67CC858AFE160F673BDE0E8778933D6312AF5D6DC8526190E635792237A6FE07
                            SHA-512:8C1CD36278286E6349A22364E065205EAC19FC843AA0316D8B563FA4008307F7062A13D7EAF6278B8A6F11C9FC4A628FFFD15692A2080AFF782AF16466E4586B
                            Malicious:false
                            Preview:.@S.......n..............usnP}....di..*.D.......4...pj.)sED.1{}d.U....JB.i.).b\.Hi......UBZ9Ueh...L...~.,.udH.Zt.U.l....r.{..~..ymh.h6.^..........5@o.$.~i'~]1..+.g.h.$..a.R...//r.!tsI...#"].E..=A.....k........SP.`.g......M..~...W.3..".0=..-..*.V..-...4......?v...F.~6.'xI.jb..7-.@)..k.c..{.0.&.2.). ..E..].H.o?...\.XnM.>...F]...gm4E..5...S..{g....+4.J..n..#W.$...z>.|.Ss8|<}.....m...P..........U..~.ms;..o..U..e.......]/1'.-g./f...#.....7..y....m.xp...R.*.3V~!.......S|.wBRQ4-.j..M.......W.U.^b..2...UB.T.....!...q.J7.2j{o.A.I.a....8..y...Q.Z.M....4.c.$B.S ....G..pz0a(#G....U...PW.+..p8.@..>.p...X.p.t..-...JA.. ....C:..B......%..y...1..Kg...]...l.,.P..T....9.4]$..A..bD..t}.......m.%......,Q.iMl#-.|......q...?`.q.M...|.........p..pt.lj...#&.....m.@:....B.lY.....v....D..\..uC@CpR.9< +../...".....v.!.|A. ;D?*..c|.j..8./....N.g..i?ER.10e=. .!.|Q..@A.i.}a..t.....N..+..5....)..!.>..=.)....H3#n0.a.1(Ib.p.W.....v....g@4...l.D...~>.&..g.0..a6X.A..1K.k....q

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            • Antivirus: Virustotal, Detection: 38%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-VBI2U.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):1479328
                            Entropy (8bit):7.999879236620477
                            Encrypted:true
                            SSDEEP:24576:dpVUk7xQQd/X6U3yXEVuw7AmG+slCUCZsuuAnvToXr6RiZJHMYOkRQ7Www/Pg9I4:dF73X6Ir37AmTUClZ9bjxYO1wXg9DmMn
                            MD5:03F04576ABD49BE131EC6BB04C97E830
                            SHA1:5EC5F38B2E9664EE853C9B9E08D95D1EF006EE0D
                            SHA-256:67CC858AFE160F673BDE0E8778933D6312AF5D6DC8526190E635792237A6FE07
                            SHA-512:8C1CD36278286E6349A22364E065205EAC19FC843AA0316D8B563FA4008307F7062A13D7EAF6278B8A6F11C9FC4A628FFFD15692A2080AFF782AF16466E4586B
                            Malicious:false
                            Preview:.@S.......n..............usnP}....di..*.D.......4...pj.)sED.1{}d.U....JB.i.).b\.Hi......UBZ9Ueh...L...~.,.udH.Zt.U.l....r.{..~..ymh.h6.^..........5@o.$.~i'~]1..+.g.h.$..a.R...//r.!tsI...#"].E..=A.....k........SP.`.g......M..~...W.3..".0=..-..*.V..-...4......?v...F.~6.'xI.jb..7-.@)..k.c..{.0.&.2.). ..E..].H.o?...\.XnM.>...F]...gm4E..5...S..{g....+4.J..n..#W.$...z>.|.Ss8|<}.....m...P..........U..~.ms;..o..U..e.......]/1'.-g./f...#.....7..y....m.xp...R.*.3V~!.......S|.wBRQ4-.j..M.......W.U.^b..2...UB.T.....!...q.J7.2j{o.A.I.a....8..y...Q.Z.M....4.c.$B.S ....G..pz0a(#G....U...PW.+..p8.@..>.p...X.p.t..-...JA.. ....C:..B......%..y...1..Kg...]...l.,.P..T....9.4]$..A..bD..t}.......m.%......,Q.iMl#-.|......q...?`.q.M...|.........p..pt.lj...#&.....m.@:....B.lY.....v....D..\..uC@CpR.9< +../...".....v.!.|A. ;D?*..c|.j..8./....N.g..i?ER.10e=. .!.|Q..@A.i.}a..t.....N..+..5....)..!.>..=.)....H3#n0.a.1(Ib.p.W.....v....g@4...l.D...~>.&..g.0..a6X.A..1K.k....q

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.997132694942412
                            Encrypted:true
                            SSDEEP:1536:vsdG2eWqexddSNh8NZxxBQ3Wm2gvwzGOgfj:klSNGPQRvfOy
                            MD5:4FA297F011D88BCF2F29258E508C2430
                            SHA1:E3983636567AA3A60C618A8EB8FF34EB8A50EA39
                            SHA-256:BF23B400117543AF20E63B064B666B11600BBB86DED0799CBCAC2D96E2FBC942
                            SHA-512:13B547DEB127AAEE017015D2095D5B0A60680F44687ED8014B66F0FF158E25EC8735E59D601776EA5E51208966232C225ADAC678A493BDCEA60FAB81BADCD502
                            Malicious:false
                            Preview:.@S....+...| ...............A{.D.w|.....8....W..A.".=u.........Y*...5b*.....j.-;.`...q...=..k...&.K..&....i....){`..W8Y...3....d..P.Wy.........Z4g._%J...n...e.ZB.|...E.I...a...p...v.|.w.....a.:.,.1...Y..IX0.`J...]5....AU.C...4......l.u..X.o:...X'...........R....0.H7.D.U..?P.4P.U.}.t)0x......m.l.h...sE=.A+.20R.\.9t..(....h...<..........{.4.m ty.A....d..QxS<~.<)Q..4~..c..=Q.u..;Yj:...od......]...;....t.O]...Y.W.;..e..k<..]...s||........>B....*......4;..9..R.&.(hi...v${.0je.v..d..5.k....x.;<3...i.......}.I.....O.].@.h...~f.#.D.c.t .s.BHF.rI...~...y.xjZh=..7..W.l.{......\...9.W.*7.,..d7V.....jOO....2.J..c..*.C._a.K.k.dj.8.f3.S.q....RHf...q.P.Q.w..n.......L... .Q..O!Z.-.8o...Y......W.\...<.~;..-+!K.V.Z.....(..*.....0[6.=..DR.V(..3O.A<....o....O....i.K.Hi...............->....]...;..v.\.P."...{?......bb.........!...."...-...WL.....WN.}.X.10.j.-5!.....&\.....J...-...6....b...>.v...rJ._....Y<v..IvW.....2.M.$ts...8B... .In....&.....S..<.}....k.....

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56530
                            Entropy (8bit):7.997132694942403
                            Encrypted:true
                            SSDEEP:1536:2T8ko5BL2tRxmwRn1nUpQxrradMxi+Z8bgPO2iPf:2THRIwRn1VedMi0XPOlf
                            MD5:21705C726287510DCAC6EB71B115B02B
                            SHA1:A744FE3552C67101212A7DCB95995604245E3C50
                            SHA-256:F32DD750AF2EC280B6862ACD96B554F125B3D61AB38AA6C2A70815D73C91AC4C
                            SHA-512:A4F9AA83D29EAE3D9EFA71D6B12855A91ABD0625B199C9303C6E91CCE240161FDCFD26EC1602CF3392F24D5A53DDB4CDB5D366CF2A93ED55084689C97AE8F9B3
                            Malicious:false
                            Preview:7z..'....J~1........2.......9......t.kZ....6.BV......}~).lai.`....A..).".b.\..&..PU.{0ho..Z..z.......x..h..5:V.3.....zZ..&....?`1..uD.b6.9.{..v.../E..?...d.. S.qPE.V..=..kj+.yk..A...U.X..a.'.z....]y.b.......@.u....";}..\..)..\;.r..`.>..A...gp'.......Y.S.Y0.I...3Ol.;..E.s.l..@.....+...).L.-.y. .u~q...&..>i..|... &.9:6L4.Q.U.Y}/..dk..3.......w......Iw......O..Ub.T...n....RV........YuY9.).5.g.et./.Q...a>..W.a.Bx.X.....;..Z...<3=L9..n.38`}...E=6I....YM.........=..........tN.~..|w8.$n...z...`K./;...<...1.......x-...(...W.f..H.V...5..@M..a.a......1.Y..2.F.;/S.c;s...d0P...U..].J...=`..'...q/.m..j..H..l..@..l.".c..G.........Q......HX..j.l.a.Q..v.P..8....s+...e......r.7i.a.O]j.y].D.CL............q....\..8..ahh~o..7b..q..N...........?}.<c...X.H$.Z.;...nH..e.ce......AX~X..w{:w8e.V3d}....P..w.Y..}I..|lAM.v...uZ..*.~Z.Ip.2..S...ai..Q.S.F....A. `..#.j...SU....g..Zw.Fo...#5.2v..Y.}.%.z.i.....KU.^..;K........E|.....F.H...:..[g.....z-.9.w...).V..J......fC...

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):1479328
                            Entropy (8bit):7.9998792366204805
                            Encrypted:true
                            SSDEEP:24576:tpM/NXd9kWh5o/bwMOakUWAQi4VUZheTuYf53orddOw0BY2Jy56R4Tkj8:twRh5AkMOaxukhGCrf2EM4TW8
                            MD5:D3DC27665B59AC814D3C6106C7AA2356
                            SHA1:B9D3AEBB0A651E5DA60DE9485460F0254290E705
                            SHA-256:82314DBDDC5E53ADE0FF5EF086D3DFB9A89D18DC53571B1FAEC0DAF2D6B09D08
                            SHA-512:C592C2EFC0600F09CE5B1C224E18108993BFB7B5EFE26954842047139562432B574314C971E66F7265AE989D6739509D0BE470668F7DF383EE4C6FD3D8339538
                            Malicious:false
                            Preview:7z..'....+Y1@.......@............lm......._..<.oQnD.r)+...ff...-o.....Li.y....i.......7)...0..........Y.Y.... ........V.?.Xi.Z........"...p..<......e5$.....N........=.!.`.'..l...I........&....)r.....Qf.'o.`..7Xo4....*..z...2f.k..x9u.u.j'....%".mB...4b4..6..6".Q.......~..V..6..=...y..G.9..H............=:....V.....]1.......jI;..h#....J).-'....c..#..]..|..s.........j.\.....0..+0..;..RcN.N.<EnY,g..p.".........Ip.6'...8o.P....<.K..3,.u,.........?..+v]X...9...arw{. ..\......)..e.9|.Ti.Q0.-r....A>..jk....N.T$]]...........z....]i...S-a.En1...M..U.z.B.t...]..8........u....5C<y....t3..]....?..e.....# .O....y....'....w..=$]F.l.m..v...........p.....B.3...n,Kr.'.....W0^...B..D+..E.. ..Q...j.........nWy.`.....L.I.H;X-.f.`..D....y=...a.D....>:..=...f]R.([..QU(.9c.4-....a..*d............1.tE..../.1.q.U..E....Cq.........`--....~..........L.'@....k..O.<..-/."GF>......2.V..h[\....p.uW.x.........M.v....m.v.....k...1(...x_S.z.XL...3.V!q.b.'m...l.A;.2...Oz.

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3443983145211007
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                            MD5:1E67E91688292692932CD9096EDEA2BD
                            SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                            SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                            SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):1229243
                            Entropy (8bit):7.999860759193778
                            Encrypted:true
                            SSDEEP:24576:pZ+FOmAnhJkbPlXXgSjPcqlhfZobOCwFx02g5803Njfjb/:6FOBnsrlXXRzXIbpwFc8gNrjr
                            MD5:070A2AF242B27F5022AD57DC904E0B6D
                            SHA1:0561CE09AFD76E6447CA47E291943A3842CA8323
                            SHA-256:A63DE6D658685650FFFCA20F0A5F05F803A247A00991C546599DBF5BEE11DFB1
                            SHA-512:3363BD1BD8B5B586B14C7FB07B54742F5EA2D4D8AE7033D867226A9B415D997D423601D9E85197632EDB06A90281D9EB8CF4D41E14DAF21F23859F1852D66DE9
                            Malicious:false
                            Preview:..W.K.7.r.....-..u..O.&.2\.....$...:.<p..|.....c.8i,S.#.*.....hj&.d...U.V.nr....d.....r...5..nkw.x.......u...[t..b,....&.....Z.Y....{.>...N..D[^...3.......]..*...8.+>.G....s.r.<x_.@...Toc3.C.&0....i`.".x...?..).n..:`...B.]...C..X.c.}Xt.zm.K.Y.....P{J..{..mC:".,...:.r........(..1..h...H.`..Rb.>.R=...[...j+..Le.]........T.+7!g..A...s....l....Y..>Q....h.y...V.{..Q.1.b0j"u.W. ..h.a...P..u?.1.+*X/z.dJD.K*....i..&...l.....mM....U...e....Q.......C.0.[..!.}]}[1..UA..M.z.k.O=vE.?....`..7.s@"j...V.W..@IP.z...ri....v.T.]#....S.z..0 .9g.o..B.2.;we.......*T..H....U....J.x....D..n.t.$..1.r.s.F...kb`|......2.....Hw....S.M...3J..w....C.pp.u.NM9...*?f..3.p..O-Dk..tFly#......w........(...k.4.g.K+...|W.s....1...Q.. ...)$.K.o.?]....[....3...5......K....$j.^.........4...;-..\./GF......".fo[...F.2Vi(..r.:!...........".y..a..n......W..C..."..CaT.e ...>..SxB..AH4.k.-...=....L......=.5..9....N&1....`.00.QTb.P... ./..i.|K8.7<.f<.m.;..........<..A..h...

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulXg+//lz:NllUwu/l
                            MD5:ED0FF51DEEE7DB96EC9C5624C12E0A04
                            SHA1:515B7FC63DB9F9313A6AEE6B4A6266B0FB6FF3A7
                            SHA-256:B93B1F8411ACBB11CBECF0F4E344D7D6D3551801BD891B816FB4720E60CE357B
                            SHA-512:FD82F7D0B1B6F1641D2FF3F4EC6FEF66E2AB0F2048D7A5BBC674C379DD429516198FFD6E6E445C6EC1A2763ADAACF6288026B4A90697D86C8EED743A71F177ED
                            Malicious:false
                            Preview:@...e.................................F..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xsd1f1l.4uy.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3tjt2z0.x4i.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_luqonh5n.tae.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thla013k.qss.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530561171048803
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:6B62BAE0EB64E164C7CA6E4C80727D80
                            SHA1:B3FBB520FBC7CDBD2C9DD29F9258313837E41769
                            SHA-256:F7FEE346DE7B3D16964FBB512853CE8719CA6A9DB6017947578F1B983267C257
                            SHA-512:2A7404BCE01CDD9BE346E1B52ED2761AF1F53B8B60597CB5F4487FF1CBB499D8E86564028FE199C42B9D4392930EC3119C7079E3E34AA93D5EDB95CD00F72363
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 1%, Browse
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-CBGNM.tmp\update.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530561171048803
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:6B62BAE0EB64E164C7CA6E4C80727D80
                            SHA1:B3FBB520FBC7CDBD2C9DD29F9258313837E41769
                            SHA-256:F7FEE346DE7B3D16964FBB512853CE8719CA6A9DB6017947578F1B983267C257
                            SHA-512:2A7404BCE01CDD9BE346E1B52ED2761AF1F53B8B60597CB5F4487FF1CBB499D8E86564028FE199C42B9D4392930EC3119C7079E3E34AA93D5EDB95CD00F72363
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-T50A5.tmp\update.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.933674304629618
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                            File size:6'351'526 bytes
                            MD5:cc4c53c634a350d8040888ff38df9e20
                            SHA1:1f3af1bab4b2e172c59fe165169976c20028a4fa
                            SHA256:13ded7ac74245dd01f80304bb56bb9f9480e20bf4a5166ed1287f5cd22f53f6a
                            SHA512:92a8e69c9ac1063732155aebabffbafd3dac887c3b6185aea564fdd43674ae7e9b1cf1d647a797e0adac56e2992e9c99e5ba124c5abfabe0491637123d4b0e42
                            SSDEEP:98304:XwRE8jCK5SKCngYyGgsKF6qoxVYva44P9H/gxcxRzkSzXdMwZga:l8jr5h8QGg7tGSa90ckO7
                            TLSH:58561223F2CBD43EF0590B3B15B2A25494FB6A616526BD1696ECB4ECCF311601E3E247
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F6680C58735h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F6680CEA0BBh
                            call 00007F6680CE9C0Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F6680CE48E8h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F6680C527E3h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F6680CE5C13h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F6680CEA143h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F6680CF0E2Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F6680CE6508h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x1100070036f9ecd5fc4a9149d4c203f06bf3aFalse0.1877728630514706data3.722956795486655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.278328611898017
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Dec 25, 2024 04:39:08.295557976 CET1.1.1.1192.168.2.40x59eeNo error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                            Dec 25, 2024 04:39:08.295557976 CET1.1.1.1192.168.2.40x59eeNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                            Dec 25, 2024 04:39:08.295557976 CET1.1.1.1192.168.2.40x59eeNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                            Dec 25, 2024 04:39:08.295557976 CET1.1.1.1192.168.2.40x59eeNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                            Dec 25, 2024 04:39:08.295557976 CET1.1.1.1192.168.2.40x59eeNo error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:38:49
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
                            Imagebase:0x3a0000
                            File size:6'351'526 bytes
                            MD5 hash:CC4C53C634A350D8040888FF38DF9E20
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:22:38:50
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-QJVE7.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$2041A,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe"
                            Imagebase:0xbe0000
                            File size:3'366'912 bytes
                            MD5 hash:6B62BAE0EB64E164C7CA6E4C80727D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:22:38:50
                            Start date:24/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:22:38:50
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:22:38:53
                            Start date:24/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:5
                            Start time:22:38:58
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
                            Imagebase:0x3a0000
                            File size:6'351'526 bytes
                            MD5 hash:CC4C53C634A350D8040888FF38DF9E20
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:6
                            Start time:22:38:59
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-6J3GU.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.tmp" /SL5="$402A0,5397094,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe" /VERYSILENT
                            Imagebase:0x840000
                            File size:3'366'912 bytes
                            MD5 hash:6B62BAE0EB64E164C7CA6E4C80727D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Antivirus matches:
                            • Detection: 1%, Virustotal, Browse
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:7
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x7f0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Has exited:true

                            General

                            Target ID:11
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:12
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x7f0000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:22:39:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:14
                            Start time:22:39:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:22:39:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:22:39:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:22:39:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:22:39:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:22:39:02
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff70f330000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:22:39:03
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:22:39:04
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:22:39:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:22:39:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70daa0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff76bcf0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:22:39:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7d32e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:5.2%
                              Total number of Nodes:731
                              Total number of Limit Nodes:8
                              execution_graph 63581 6bd23d62 63584 6bd23bc0 63581->63584 63582 6bd23e8a GetCurrentThread NtSetInformationThread 63583 6bd23eea 63582->63583 63584->63582 63585 6bd3f8a3 63587 6bd3f887 63585->63587 63586 6bd402ac GetCurrentProcess TerminateProcess 63588 6bd402ca 63586->63588 63587->63586 63589 6bd24b53 63747 6beaa133 63589->63747 63591 6bd24b5c _Yarn 63761 6be9e090 63591->63761 63593 6bd4639e 63854 6beb3820 18 API calls 2 library calls 63593->63854 63595 6bd24cff 63596 6bd25164 CreateFileA CloseHandle 63601 6bd251ec 63596->63601 63597 6bd24bae std::ios_base::_Ios_base_dtor 63597->63593 63597->63595 63597->63596 63598 6bd3245a _Yarn _strlen 63597->63598 63598->63593 63599 6be9e090 2 API calls 63598->63599 63614 6bd32a83 std::ios_base::_Ios_base_dtor 63599->63614 63767 6bea8810 OpenSCManagerA 63601->63767 63603 6bd2fc00 63846 6bea8930 CreateToolhelp32Snapshot 63603->63846 63606 6beaa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63643 6bd25478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63606->63643 63608 6bd337d0 Sleep 63653 6bd337e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63608->63653 63609 6be9e090 2 API calls 63609->63643 63610 6bd463b2 63855 6bd215e0 18 API calls std::ios_base::_Ios_base_dtor 63610->63855 63611 6bea8930 4 API calls 63629 6bd3053a 63611->63629 63612 6bea8930 4 API calls 63635 6bd312e2 63612->63635 63614->63593 63771 6be90880 63614->63771 63615 6bd464f8 63616 6bd2ffe3 63616->63611 63620 6bd30abc 63616->63620 63617 6bd46ba0 104 API calls 63617->63643 63618 6bd46e60 32 API calls 63618->63643 63620->63598 63620->63612 63622 6bea8930 4 API calls 63622->63620 63623 6bea8930 4 API calls 63640 6bd31dd9 63623->63640 63624 6bd3211c 63624->63598 63625 6bd3241a 63624->63625 63628 6be90880 10 API calls 63625->63628 63626 6be9e090 2 API calls 63626->63653 63631 6bd3244d 63628->63631 63629->63620 63629->63622 63630 6bd26722 63822 6bea4860 25 API calls 4 library calls 63630->63822 63852 6bea9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63631->63852 63633 6bd32452 Sleep 63633->63598 63634 6bd316ac 63635->63623 63635->63624 63635->63634 63636 6bd26162 63637 6bd2740b 63823 6bea86e0 CreateProcessA 63637->63823 63639 6bea8930 4 API calls 63639->63624 63640->63624 63640->63639 63643->63593 63643->63603 63643->63606 63643->63609 63643->63617 63643->63618 63643->63630 63643->63636 63808 6bd47090 63643->63808 63821 6bd6e010 67 API calls 63643->63821 63644 6bd47090 77 API calls 63644->63653 63646 6bd2775a _strlen 63646->63593 63647 6bd27b92 63646->63647 63648 6bd27ba9 63646->63648 63651 6bd27b43 _Yarn 63646->63651 63649 6beaa133 std::_Facet_Register 4 API calls 63647->63649 63650 6beaa133 std::_Facet_Register 4 API calls 63648->63650 63649->63651 63650->63651 63652 6be9e090 2 API calls 63651->63652 63661 6bd27be7 std::ios_base::_Ios_base_dtor 63652->63661 63653->63593 63653->63626 63653->63644 63779 6bd46ba0 63653->63779 63798 6bd46e60 63653->63798 63853 6bd6e010 67 API calls 63653->63853 63654 6bea86e0 4 API calls 63665 6bd28a07 63654->63665 63655 6bd29d68 63658 6beaa133 std::_Facet_Register 4 API calls 63655->63658 63656 6bd29d7f 63659 6beaa133 std::_Facet_Register 4 API calls 63656->63659 63657 6bd2962c _strlen 63657->63593 63657->63655 63657->63656 63660 6bd29d18 _Yarn 63657->63660 63658->63660 63659->63660 63662 6be9e090 2 API calls 63660->63662 63661->63593 63661->63654 63661->63657 63663 6bd28387 63661->63663 63668 6bd29dbd std::ios_base::_Ios_base_dtor 63662->63668 63664 6bea86e0 4 API calls 63674 6bd29120 63664->63674 63665->63664 63666 6bea86e0 4 API calls 63683 6bd2a215 _strlen 63666->63683 63667 6bea86e0 4 API calls 63670 6bd29624 63667->63670 63668->63593 63668->63666 63673 6bd2e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63668->63673 63669 6beaa133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63669->63673 63827 6bea9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63670->63827 63672 6be9e090 2 API calls 63672->63673 63673->63593 63673->63669 63673->63672 63675 6bd2ed02 Sleep 63673->63675 63676 6bd2f7b1 63673->63676 63674->63667 63695 6bd2e8c1 63675->63695 63845 6bea9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63676->63845 63678 6bd2e8dd GetCurrentProcess TerminateProcess 63678->63673 63679 6bd2a9a4 63681 6beaa133 std::_Facet_Register 4 API calls 63679->63681 63680 6bd2a9bb 63682 6beaa133 std::_Facet_Register 4 API calls 63680->63682 63690 6bd2a953 _Yarn _strlen 63681->63690 63682->63690 63683->63593 63683->63679 63683->63680 63683->63690 63684 6bea86e0 4 API calls 63684->63695 63685 6bd2fbb8 63687 6bd2fbe8 ExitWindowsEx Sleep 63685->63687 63686 6bd2f7c0 63686->63685 63687->63603 63688 6bd2aff0 63691 6beaa133 std::_Facet_Register 4 API calls 63688->63691 63689 6bd2b009 63692 6beaa133 std::_Facet_Register 4 API calls 63689->63692 63690->63610 63690->63688 63690->63689 63693 6bd2afa0 _Yarn 63690->63693 63691->63693 63692->63693 63828 6bea9050 63693->63828 63695->63673 63695->63678 63695->63684 63696 6bd2b059 std::ios_base::_Ios_base_dtor _strlen 63696->63593 63697 6bd2b443 63696->63697 63698 6bd2b42c 63696->63698 63701 6bd2b3da _Yarn _strlen 63696->63701 63700 6beaa133 std::_Facet_Register 4 API calls 63697->63700 63699 6beaa133 std::_Facet_Register 4 API calls 63698->63699 63699->63701 63700->63701 63701->63610 63702 6bd2b7b7 63701->63702 63703 6bd2b79e 63701->63703 63706 6bd2b751 _Yarn 63701->63706 63705 6beaa133 std::_Facet_Register 4 API calls 63702->63705 63704 6beaa133 std::_Facet_Register 4 API calls 63703->63704 63704->63706 63705->63706 63707 6bea9050 104 API calls 63706->63707 63708 6bd2b804 std::ios_base::_Ios_base_dtor _strlen 63707->63708 63708->63593 63709 6bd2bc26 63708->63709 63710 6bd2bc0f 63708->63710 63713 6bd2bbbd _Yarn _strlen 63708->63713 63711 6beaa133 std::_Facet_Register 4 API calls 63709->63711 63712 6beaa133 std::_Facet_Register 4 API calls 63710->63712 63711->63713 63712->63713 63713->63610 63714 6bd2c075 63713->63714 63715 6bd2c08e 63713->63715 63718 6bd2c028 _Yarn 63713->63718 63716 6beaa133 std::_Facet_Register 4 API calls 63714->63716 63717 6beaa133 std::_Facet_Register 4 API calls 63715->63717 63716->63718 63717->63718 63719 6bea9050 104 API calls 63718->63719 63724 6bd2c0db std::ios_base::_Ios_base_dtor _strlen 63719->63724 63720 6bd2c7a5 63722 6beaa133 std::_Facet_Register 4 API calls 63720->63722 63721 6bd2c7bc 63723 6beaa133 std::_Facet_Register 4 API calls 63721->63723 63731 6bd2c753 _Yarn _strlen 63722->63731 63723->63731 63724->63593 63724->63720 63724->63721 63724->63731 63725 6bd2d406 63728 6beaa133 std::_Facet_Register 4 API calls 63725->63728 63726 6bd2d3ed 63727 6beaa133 std::_Facet_Register 4 API calls 63726->63727 63729 6bd2d39a _Yarn 63727->63729 63728->63729 63730 6bea9050 104 API calls 63729->63730 63732 6bd2d458 std::ios_base::_Ios_base_dtor _strlen 63730->63732 63731->63610 63731->63725 63731->63726 63731->63729 63737 6bd2cb2f 63731->63737 63732->63593 63733 6bd2d8a4 63732->63733 63734 6bd2d8bb 63732->63734 63738 6bd2d852 _Yarn _strlen 63732->63738 63735 6beaa133 std::_Facet_Register 4 API calls 63733->63735 63736 6beaa133 std::_Facet_Register 4 API calls 63734->63736 63735->63738 63736->63738 63738->63610 63739 6bd2dcb6 63738->63739 63740 6bd2dccf 63738->63740 63743 6bd2dc69 _Yarn 63738->63743 63741 6beaa133 std::_Facet_Register 4 API calls 63739->63741 63742 6beaa133 std::_Facet_Register 4 API calls 63740->63742 63741->63743 63742->63743 63744 6bea9050 104 API calls 63743->63744 63746 6bd2dd1c std::ios_base::_Ios_base_dtor 63744->63746 63745 6bea86e0 4 API calls 63745->63673 63746->63593 63746->63745 63748 6beaa138 63747->63748 63749 6beaa152 63748->63749 63752 6beaa154 std::_Facet_Register 63748->63752 63856 6beb2704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63748->63856 63749->63591 63751 6beaafb3 std::_Facet_Register 63860 6beaca69 RaiseException 63751->63860 63752->63751 63857 6beaca69 RaiseException 63752->63857 63754 6beab7ac IsProcessorFeaturePresent 63760 6beab7d1 63754->63760 63756 6beaaf73 63858 6beaca69 RaiseException 63756->63858 63758 6beaaf93 std::invalid_argument::invalid_argument 63859 6beaca69 RaiseException 63758->63859 63760->63591 63762 6be9e0a4 63761->63762 63763 6be9e0a6 FindFirstFileA 63761->63763 63762->63763 63764 6be9e0e0 63763->63764 63765 6be9e0e2 FindClose 63764->63765 63766 6be9e13c 63764->63766 63765->63764 63766->63597 63768 6bea8846 63767->63768 63769 6bea88be OpenServiceA 63768->63769 63770 6bea8922 63768->63770 63769->63768 63770->63643 63772 6be90893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63771->63772 63773 6be94e71 CloseHandle 63772->63773 63774 6be93bd1 CloseHandle 63772->63774 63775 6bd337cb 63772->63775 63777 6be7cea0 WriteFile ReadFile WriteFile WriteFile 63772->63777 63861 6be7c390 63772->63861 63773->63772 63774->63772 63778 6bea9450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63775->63778 63777->63772 63778->63608 63780 6bd46bd5 63779->63780 63872 6bd72020 63780->63872 63782 6bd46c68 63783 6beaa133 std::_Facet_Register 4 API calls 63782->63783 63784 6bd46ca0 63783->63784 63889 6beaaa17 63784->63889 63786 6bd46cb4 63901 6bd71d90 63786->63901 63789 6bd46d8e 63789->63653 63791 6bd46dc8 63909 6bd726e0 24 API calls 4 library calls 63791->63909 63793 6bd46dda 63910 6beaca69 RaiseException 63793->63910 63795 6bd46def 63911 6bd6e010 67 API calls 63795->63911 63797 6bd46e0f 63797->63653 63799 6bd46e9f 63798->63799 63800 6bd46eb3 63799->63800 64306 6bd73560 32 API calls std::_Xinvalid_argument 63799->64306 63803 6bd46f5b 63800->63803 64308 6bd72250 30 API calls 63800->64308 64309 6bd726e0 24 API calls 4 library calls 63800->64309 64310 6beaca69 RaiseException 63800->64310 63804 6bd46f6e 63803->63804 64307 6bd737e0 32 API calls std::_Xinvalid_argument 63803->64307 63804->63653 63809 6bd4709e 63808->63809 63813 6bd470d1 63808->63813 64311 6bd701f0 63809->64311 63811 6bd47183 63811->63643 63813->63811 64315 6bd72250 30 API calls 63813->64315 63814 6beb4208 67 API calls 63814->63813 63816 6bd471ae 64316 6bd72340 24 API calls 63816->64316 63818 6bd471be 64317 6beaca69 RaiseException 63818->64317 63820 6bd471c9 63821->63643 63822->63637 63824 6bea8770 63823->63824 63825 6bea87b0 WaitForSingleObject CloseHandle CloseHandle 63824->63825 63826 6bea87a4 63824->63826 63825->63824 63826->63646 63827->63657 63829 6bea90a7 63828->63829 64363 6bea96e0 63829->64363 63831 6bea90b8 63832 6bd46ba0 104 API calls 63831->63832 63836 6bea90dc 63832->63836 63834 6bea918f std::ios_base::_Ios_base_dtor 64416 6bd6e010 67 API calls 63834->64416 63838 6bea9144 63836->63838 63844 6bea9157 63836->63844 64382 6bea9a30 63836->64382 64390 6bd83010 63836->64390 64400 6bea9280 63838->64400 63841 6bea91d2 std::ios_base::_Ios_base_dtor 63841->63696 63842 6bea914c 63843 6bd47090 77 API calls 63842->63843 63843->63844 64415 6bd6e010 67 API calls 63844->64415 63845->63686 63847 6bea8966 std::locale::_Setgloballocale 63846->63847 63848 6bea8a64 Process32NextW 63847->63848 63849 6bea8a14 CloseHandle 63847->63849 63850 6bea8a45 Process32FirstW 63847->63850 63851 6bea8a96 63847->63851 63848->63847 63849->63847 63850->63847 63851->63616 63852->63633 63853->63653 63855->63615 63856->63748 63857->63756 63858->63758 63859->63751 63860->63754 63862 6be7c3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63861->63862 63863 6be7ce3c 63862->63863 63864 6be7cab9 CreateFileA 63862->63864 63866 6be7b4d0 63862->63866 63863->63772 63864->63862 63867 6be7b4e3 __wsopen_s std::locale::_Setgloballocale 63866->63867 63868 6be7c206 WriteFile 63867->63868 63869 6be7b619 WriteFile 63867->63869 63870 6be7c377 63867->63870 63871 6be7bc23 ReadFile 63867->63871 63868->63867 63869->63867 63870->63862 63871->63867 63873 6beaa133 std::_Facet_Register 4 API calls 63872->63873 63874 6bd7207e 63873->63874 63875 6beaaa17 43 API calls 63874->63875 63876 6bd72092 63875->63876 63912 6bd72f60 42 API calls 4 library calls 63876->63912 63878 6bd7210d 63884 6bd72120 63878->63884 63913 6beaa67e 9 API calls 2 library calls 63878->63913 63879 6bd720c8 63879->63878 63880 6bd72136 63879->63880 63914 6bd72250 30 API calls 63880->63914 63883 6bd7215b 63915 6bd72340 24 API calls 63883->63915 63884->63782 63886 6bd72171 63916 6beaca69 RaiseException 63886->63916 63888 6bd7217c 63888->63782 63890 6beaaa23 __EH_prolog3 63889->63890 63917 6beaa5a5 63890->63917 63893 6beaaa5f 63923 6beaa5d6 63893->63923 63896 6beaaa41 63931 6beaaaaa 39 API calls std::locale::_Setgloballocale 63896->63931 63898 6beaaa9c 63898->63786 63899 6beaaa49 63932 6beaa8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 63899->63932 63902 6bd46d5d 63901->63902 63903 6bd71ddc 63901->63903 63902->63789 63908 6bd72250 30 API calls 63902->63908 63937 6beaab37 63903->63937 63907 6bd71e82 63908->63791 63909->63793 63910->63795 63911->63797 63912->63879 63913->63884 63914->63883 63915->63886 63916->63888 63918 6beaa5bb 63917->63918 63919 6beaa5b4 63917->63919 63921 6beaa5b9 63918->63921 63934 6beabc7b EnterCriticalSection 63918->63934 63933 6beb3abd 6 API calls std::_Lockit::_Lockit 63919->63933 63921->63893 63930 6beaa920 6 API calls 2 library calls 63921->63930 63924 6beb3acb 63923->63924 63925 6beaa5e0 63923->63925 63936 6beb3aa6 LeaveCriticalSection 63924->63936 63929 6beaa5f3 63925->63929 63935 6beabc89 LeaveCriticalSection 63925->63935 63928 6beb3ad2 63928->63898 63929->63898 63930->63896 63931->63899 63932->63893 63933->63921 63934->63921 63935->63929 63936->63928 63938 6beaab40 63937->63938 63939 6bd71dea 63938->63939 63946 6beb343a 63938->63946 63939->63902 63945 6beafc53 18 API calls __fassign 63939->63945 63941 6beaab8c 63941->63939 63957 6beb3148 65 API calls 63941->63957 63943 6beaaba7 63943->63939 63958 6beb4208 63943->63958 63945->63907 63947 6beb3445 __wsopen_s 63946->63947 63948 6beb3458 63947->63948 63949 6beb3478 63947->63949 63983 6beb3810 18 API calls __fassign 63948->63983 63953 6beb3468 63949->63953 63969 6bebe4fc 63949->63969 63953->63941 63957->63943 63959 6beb4214 __wsopen_s 63958->63959 63960 6beb421e 63959->63960 63961 6beb4233 63959->63961 64179 6beb3810 18 API calls __fassign 63960->64179 63962 6beb422e 63961->63962 64164 6beafc99 EnterCriticalSection 63961->64164 63962->63939 63964 6beb4250 64165 6beb428c 63964->64165 63967 6beb425b 64180 6beb4282 LeaveCriticalSection 63967->64180 63970 6bebe508 __wsopen_s 63969->63970 63985 6beb3a8f EnterCriticalSection 63970->63985 63972 6bebe516 63986 6bebe5a0 63972->63986 63977 6bebe662 63978 6bebe781 63977->63978 64010 6bebe804 63978->64010 63981 6beb34bc 63984 6beb34e5 LeaveCriticalSection 63981->63984 63983->63953 63984->63953 63985->63972 63994 6bebe5c3 63986->63994 63987 6bebe523 64000 6bebe55c 63987->64000 63988 6bebe61b 64005 6beba8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63988->64005 63991 6bebe624 64006 6beb7eab HeapFree GetLastError __dosmaperr 63991->64006 63993 6bebe62d 63993->63987 64007 6beba30f 6 API calls std::_Lockit::_Lockit 63993->64007 63994->63987 63994->63988 63994->63994 64003 6beafc99 EnterCriticalSection 63994->64003 64004 6beafcad LeaveCriticalSection 63994->64004 63996 6bebe64c 64008 6beafc99 EnterCriticalSection 63996->64008 63999 6bebe65f 63999->63987 64009 6beb3aa6 LeaveCriticalSection 64000->64009 64002 6beb3493 64002->63953 64002->63977 64003->63994 64004->63994 64005->63991 64006->63993 64007->63996 64008->63999 64009->64002 64011 6bebe823 64010->64011 64012 6bebe836 64011->64012 64016 6bebe84b 64011->64016 64026 6beb3810 18 API calls __fassign 64012->64026 64014 6bebe797 64014->63981 64023 6bec76ce 64014->64023 64021 6bebe96b 64016->64021 64027 6bec7598 37 API calls __fassign 64016->64027 64018 6bebe9bb 64018->64021 64028 6bec7598 37 API calls __fassign 64018->64028 64020 6bebe9d9 64020->64021 64029 6bec7598 37 API calls __fassign 64020->64029 64021->64014 64030 6beb3810 18 API calls __fassign 64021->64030 64031 6bec7a86 64023->64031 64026->64014 64027->64018 64028->64020 64029->64021 64030->64014 64033 6bec7a92 __wsopen_s 64031->64033 64032 6bec7a99 64049 6beb3810 18 API calls __fassign 64032->64049 64033->64032 64034 6bec7ac4 64033->64034 64040 6bec76ee 64034->64040 64039 6bec76e9 64039->63981 64051 6beb3dbb 64040->64051 64045 6bec7724 64047 6bec7756 64045->64047 64091 6beb7eab HeapFree GetLastError __dosmaperr 64045->64091 64050 6bec7b1b LeaveCriticalSection __wsopen_s 64047->64050 64049->64039 64050->64039 64092 6beaf3db 64051->64092 64055 6beb3ddf 64056 6beaf4e6 64055->64056 64101 6beaf53e 64056->64101 64058 6beaf4fe 64058->64045 64059 6bec775c 64058->64059 64116 6bec7bdc 64059->64116 64062 6bec778e __dosmaperr 64062->64045 64066 6bec7882 GetFileType 64067 6bec788d GetLastError 64066->64067 64068 6bec78d4 64066->64068 64145 6beb30e2 __dosmaperr 64067->64145 64146 6bec4ea0 SetStdHandle __dosmaperr __wsopen_s 64068->64146 64069 6bec7857 GetLastError 64069->64062 64071 6bec7805 64071->64066 64071->64069 64144 6bec7b47 CreateFileW 64071->64144 64072 6bec789b CloseHandle 64072->64062 64088 6bec78c4 64072->64088 64075 6bec784a 64075->64066 64075->64069 64076 6bec78f5 64077 6bec7941 64076->64077 64147 6bec7d56 70 API calls 2 library calls 64076->64147 64081 6bec7948 64077->64081 64161 6bec7e00 70 API calls 2 library calls 64077->64161 64080 6bec7976 64080->64081 64082 6bec7984 64080->64082 64148 6bebf015 64081->64148 64082->64062 64084 6bec7a00 CloseHandle 64082->64084 64162 6bec7b47 CreateFileW 64084->64162 64086 6bec7a2b 64087 6bec7a35 GetLastError 64086->64087 64086->64088 64089 6bec7a41 __dosmaperr 64087->64089 64088->64062 64163 6bec4e0f SetStdHandle __dosmaperr __wsopen_s 64089->64163 64091->64047 64093 6beaf3fb 64092->64093 64099 6beaf3f2 64092->64099 64094 6beb80a2 __Getctype 37 API calls 64093->64094 64093->64099 64095 6beaf41b 64094->64095 64096 6beb8618 __Getctype 37 API calls 64095->64096 64097 6beaf431 64096->64097 64098 6beb8645 __fassign 37 API calls 64097->64098 64098->64099 64099->64055 64100 6beba0c5 5 API calls std::_Lockit::_Lockit 64099->64100 64100->64055 64102 6beaf54c 64101->64102 64103 6beaf566 64101->64103 64104 6beaf4cc __wsopen_s HeapFree GetLastError 64102->64104 64105 6beaf58c 64103->64105 64106 6beaf56d 64103->64106 64110 6beaf556 __dosmaperr 64104->64110 64107 6beb7f33 __fassign MultiByteToWideChar 64105->64107 64108 6beaf48d __wsopen_s HeapFree GetLastError 64106->64108 64106->64110 64109 6beaf59b 64107->64109 64108->64110 64111 6beaf5a2 GetLastError 64109->64111 64112 6beaf5c8 64109->64112 64113 6beaf48d __wsopen_s HeapFree GetLastError 64109->64113 64110->64058 64111->64110 64112->64110 64114 6beb7f33 __fassign MultiByteToWideChar 64112->64114 64113->64112 64115 6beaf5df 64114->64115 64115->64110 64115->64111 64117 6bec7c17 64116->64117 64119 6bec7bfd 64116->64119 64118 6bec7b6c __wsopen_s 18 API calls 64117->64118 64121 6bec7c4f 64118->64121 64119->64117 64120 6beb3810 __fassign 18 API calls 64119->64120 64120->64117 64122 6bec7c7e 64121->64122 64126 6beb3810 __fassign 18 API calls 64121->64126 64123 6bec9001 __wsopen_s 18 API calls 64122->64123 64128 6bec7779 64122->64128 64124 6bec7ccc 64123->64124 64125 6bec7d49 64124->64125 64124->64128 64127 6beb383d __Getctype 11 API calls 64125->64127 64126->64122 64129 6bec7d55 64127->64129 64128->64062 64130 6bec4cfc 64128->64130 64131 6bec4d08 __wsopen_s 64130->64131 64132 6beb3a8f std::_Lockit::_Lockit EnterCriticalSection 64131->64132 64133 6bec4d0f 64132->64133 64134 6bec4d34 64133->64134 64139 6bec4da3 EnterCriticalSection 64133->64139 64141 6bec4d56 64133->64141 64136 6bec4f32 __wsopen_s 11 API calls 64134->64136 64135 6bec4e06 __wsopen_s LeaveCriticalSection 64137 6bec4d76 64135->64137 64138 6bec4d39 64136->64138 64137->64062 64143 6bec7b47 CreateFileW 64137->64143 64138->64141 64142 6bec5080 __wsopen_s EnterCriticalSection 64138->64142 64140 6bec4db0 LeaveCriticalSection 64139->64140 64139->64141 64140->64133 64141->64135 64142->64141 64143->64071 64144->64075 64145->64072 64146->64076 64147->64077 64149 6bec4c92 __wsopen_s 18 API calls 64148->64149 64152 6bebf025 64149->64152 64150 6bebf02b 64151 6bec4e0f __wsopen_s SetStdHandle 64150->64151 64155 6bebf083 __dosmaperr 64151->64155 64152->64150 64153 6bec4c92 __wsopen_s 18 API calls 64152->64153 64160 6bebf05d 64152->64160 64156 6bebf054 64153->64156 64154 6bec4c92 __wsopen_s 18 API calls 64157 6bebf069 CloseHandle 64154->64157 64155->64062 64158 6bec4c92 __wsopen_s 18 API calls 64156->64158 64157->64150 64159 6bebf075 GetLastError 64157->64159 64158->64160 64159->64150 64160->64150 64160->64154 64161->64080 64162->64086 64163->64088 64164->63964 64166 6beb4299 64165->64166 64167 6beb42ae 64165->64167 64203 6beb3810 18 API calls __fassign 64166->64203 64171 6beb42a9 64167->64171 64181 6beb43a9 64167->64181 64171->63967 64175 6beb42d1 64196 6bebef88 64175->64196 64177 6beb42d7 64177->64171 64204 6beb7eab HeapFree GetLastError __dosmaperr 64177->64204 64179->63962 64180->63962 64182 6beb43c1 64181->64182 64186 6beb42c3 64181->64186 64183 6bebd350 18 API calls 64182->64183 64182->64186 64184 6beb43df 64183->64184 64205 6bebf25c 64184->64205 64187 6bebbe2e 64186->64187 64188 6bebbe45 64187->64188 64190 6beb42cb 64187->64190 64188->64190 64293 6beb7eab HeapFree GetLastError __dosmaperr 64188->64293 64191 6bebd350 64190->64191 64192 6bebd371 64191->64192 64193 6bebd35c 64191->64193 64192->64175 64294 6beb3810 18 API calls __fassign 64193->64294 64195 6bebd36c 64195->64175 64197 6bebef99 __dosmaperr 64196->64197 64198 6bebefae 64196->64198 64197->64177 64199 6bebeff7 __dosmaperr 64198->64199 64200 6bebefd5 64198->64200 64303 6beb3810 18 API calls __fassign 64199->64303 64295 6bebf0b1 64200->64295 64203->64171 64204->64171 64206 6bebf268 __wsopen_s 64205->64206 64207 6bebf270 __dosmaperr 64206->64207 64208 6bebf2ba 64206->64208 64209 6bebf323 __dosmaperr 64206->64209 64207->64186 64216 6bec5080 EnterCriticalSection 64208->64216 64246 6beb3810 18 API calls __fassign 64209->64246 64211 6bebf2c0 64213 6bebf2dc __dosmaperr 64211->64213 64217 6bebf34e 64211->64217 64245 6bebf31b LeaveCriticalSection __wsopen_s 64213->64245 64216->64211 64218 6bebf370 64217->64218 64238 6bebf38c __dosmaperr 64217->64238 64219 6bebf3c4 64218->64219 64220 6bebf374 __dosmaperr 64218->64220 64221 6bebf3d7 64219->64221 64255 6bebe359 20 API calls __wsopen_s 64219->64255 64254 6beb3810 18 API calls __fassign 64220->64254 64247 6bebf530 64221->64247 64226 6bebf3ed 64228 6bebf3f1 64226->64228 64229 6bebf416 64226->64229 64227 6bebf42c 64230 6bebf440 64227->64230 64231 6bebf485 WriteFile 64227->64231 64228->64238 64256 6bebf94b 6 API calls __wsopen_s 64228->64256 64257 6bebf5a1 43 API calls 5 library calls 64229->64257 64234 6bebf44b 64230->64234 64235 6bebf475 64230->64235 64233 6bebf4a9 GetLastError 64231->64233 64231->64238 64233->64238 64239 6bebf450 64234->64239 64240 6bebf465 64234->64240 64260 6bebf9b3 7 API calls 2 library calls 64235->64260 64238->64213 64239->64238 64242 6bebf455 64239->64242 64259 6bebfb77 8 API calls 3 library calls 64240->64259 64258 6bebfa8e 7 API calls 2 library calls 64242->64258 64243 6bebf463 64243->64238 64245->64207 64246->64207 64261 6bec50d5 64247->64261 64249 6bebf541 64250 6bebf3e8 64249->64250 64266 6beb80a2 GetLastError 64249->64266 64250->64226 64250->64227 64253 6bebf57e GetConsoleMode 64253->64250 64254->64238 64255->64221 64256->64238 64257->64238 64258->64243 64259->64243 64260->64243 64263 6bec50e2 64261->64263 64264 6bec50ef 64261->64264 64262 6bec50fb 64262->64249 64263->64249 64264->64262 64265 6beb3810 __fassign 18 API calls 64264->64265 64265->64263 64267 6beb80b9 64266->64267 64268 6beb80bf 64266->64268 64269 6beba213 __Getctype 6 API calls 64267->64269 64270 6beba252 __Getctype 6 API calls 64268->64270 64272 6beb80c5 SetLastError 64268->64272 64269->64268 64271 6beb80dd 64270->64271 64271->64272 64273 6beb80e1 64271->64273 64277 6beb8159 64272->64277 64278 6beb8153 64272->64278 64274 6beba8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64273->64274 64276 6beb80ed 64274->64276 64279 6beb810c 64276->64279 64280 6beb80f5 64276->64280 64282 6beb41b9 __Getctype 35 API calls 64277->64282 64278->64250 64278->64253 64283 6beba252 __Getctype 6 API calls 64279->64283 64281 6beba252 __Getctype 6 API calls 64280->64281 64284 6beb8103 64281->64284 64285 6beb815e 64282->64285 64286 6beb8118 64283->64286 64289 6beb7eab _free HeapFree GetLastError 64284->64289 64287 6beb812d 64286->64287 64288 6beb811c 64286->64288 64292 6beb7eab _free HeapFree GetLastError 64287->64292 64290 6beba252 __Getctype 6 API calls 64288->64290 64291 6beb8109 64289->64291 64290->64284 64291->64272 64292->64291 64293->64190 64294->64195 64296 6bebf0bd __wsopen_s 64295->64296 64304 6bec5080 EnterCriticalSection 64296->64304 64298 6bebf0cb 64299 6bebf015 __wsopen_s 21 API calls 64298->64299 64300 6bebf0f8 64298->64300 64299->64300 64305 6bebf131 LeaveCriticalSection __wsopen_s 64300->64305 64302 6bebf11a 64302->64197 64303->64197 64304->64298 64305->64302 64306->63800 64307->63804 64308->63800 64309->63800 64310->63800 64312 6bd7022e 64311->64312 64313 6bd470c4 64312->64313 64318 6beb4ecb 64312->64318 64313->63814 64315->63816 64316->63818 64317->63820 64319 6beb4ed9 64318->64319 64320 6beb4ef6 64318->64320 64319->64320 64321 6beb4efa 64319->64321 64322 6beb4ee6 64319->64322 64320->64312 64326 6beb50f2 64321->64326 64334 6beb3810 18 API calls __fassign 64322->64334 64327 6beb50fe __wsopen_s 64326->64327 64335 6beafc99 EnterCriticalSection 64327->64335 64329 6beb510c 64336 6beb50af 64329->64336 64333 6beb4f2c 64333->64312 64334->64320 64335->64329 64344 6bebbc96 64336->64344 64342 6beb50e9 64343 6beb5141 LeaveCriticalSection 64342->64343 64343->64333 64345 6bebd350 18 API calls 64344->64345 64346 6bebbca7 64345->64346 64347 6bec50d5 __wsopen_s 18 API calls 64346->64347 64349 6bebbcad __wsopen_s 64347->64349 64348 6beb50c3 64351 6beb4f2e 64348->64351 64349->64348 64361 6beb7eab HeapFree GetLastError __dosmaperr 64349->64361 64352 6beb4f5e 64351->64352 64354 6beb4f40 64351->64354 64360 6bebbd49 62 API calls 64352->64360 64353 6beb4f4e 64362 6beb3810 18 API calls __fassign 64353->64362 64354->64352 64354->64353 64358 6beb4f76 _Yarn 64354->64358 64356 6beb43a9 62 API calls 64356->64358 64357 6bebd350 18 API calls 64357->64358 64358->64352 64358->64356 64358->64357 64359 6bebf25c __wsopen_s 62 API calls 64358->64359 64359->64358 64360->64342 64361->64348 64362->64352 64364 6bea9715 64363->64364 64365 6bd72020 52 API calls 64364->64365 64366 6bea97b6 64365->64366 64367 6beaa133 std::_Facet_Register 4 API calls 64366->64367 64368 6bea97ee 64367->64368 64369 6beaaa17 43 API calls 64368->64369 64370 6bea9802 64369->64370 64371 6bd71d90 89 API calls 64370->64371 64373 6bea98ab 64371->64373 64372 6bea98dc 64372->63831 64373->64372 64417 6bd72250 30 API calls 64373->64417 64375 6bea9916 64418 6bd726e0 24 API calls 4 library calls 64375->64418 64377 6bea9928 64419 6beaca69 RaiseException 64377->64419 64379 6bea993d 64420 6bd6e010 67 API calls 64379->64420 64381 6bea994f 64381->63831 64383 6bea9a7d 64382->64383 64421 6bea9c90 64383->64421 64385 6bea9b6c 64385->63836 64388 6bea9a95 64388->64385 64439 6bd72250 30 API calls 64388->64439 64440 6bd726e0 24 API calls 4 library calls 64388->64440 64441 6beaca69 RaiseException 64388->64441 64391 6bd8304f 64390->64391 64394 6bd83063 64391->64394 64450 6bd73560 32 API calls std::_Xinvalid_argument 64391->64450 64396 6bd8311e 64394->64396 64452 6bd72250 30 API calls 64394->64452 64453 6bd726e0 24 API calls 4 library calls 64394->64453 64454 6beaca69 RaiseException 64394->64454 64397 6bd83131 64396->64397 64451 6bd737e0 32 API calls std::_Xinvalid_argument 64396->64451 64397->63836 64401 6bea928e 64400->64401 64404 6bea92c1 64400->64404 64403 6bd701f0 64 API calls 64401->64403 64402 6bea9373 64402->63842 64405 6bea92b4 64403->64405 64404->64402 64455 6bd72250 30 API calls 64404->64455 64407 6beb4208 67 API calls 64405->64407 64407->64404 64408 6bea939e 64456 6bd72340 24 API calls 64408->64456 64410 6bea93ae 64457 6beaca69 RaiseException 64410->64457 64412 6bea93b9 64458 6bd6e010 67 API calls 64412->64458 64414 6bea9412 std::ios_base::_Ios_base_dtor 64414->63842 64415->63834 64416->63841 64417->64375 64418->64377 64419->64379 64420->64381 64422 6bea9cf8 64421->64422 64423 6bea9ccc 64421->64423 64430 6bea9d09 64422->64430 64442 6bd73560 32 API calls std::_Xinvalid_argument 64422->64442 64424 6bea9cf1 64423->64424 64444 6bd72250 30 API calls 64423->64444 64424->64388 64427 6bea9ed8 64445 6bd72340 24 API calls 64427->64445 64429 6bea9ee7 64446 6beaca69 RaiseException 64429->64446 64430->64424 64443 6bd72f60 42 API calls 4 library calls 64430->64443 64433 6bea9d43 64433->64424 64447 6bd72250 30 API calls 64433->64447 64435 6bea9f17 64448 6bd72340 24 API calls 64435->64448 64437 6bea9f2d 64449 6beaca69 RaiseException 64437->64449 64439->64388 64440->64388 64441->64388 64442->64430 64443->64433 64444->64427 64445->64429 64446->64433 64447->64435 64448->64437 64449->64424 64450->64394 64451->64397 64452->64394 64453->64394 64454->64394 64455->64408 64456->64410 64457->64412 64458->64414 64459 6bd3f150 64461 6bd3efbe 64459->64461 64460 6bd3f243 CreateFileA 64463 6bd3f2a7 64460->64463 64461->64460 64462 6bd402ca 64463->64462 64464 6bd402ac GetCurrentProcess TerminateProcess 64463->64464 64464->64462 64465 6beb262f 64466 6beb263b __wsopen_s 64465->64466 64467 6beb264f 64466->64467 64468 6beb2642 GetLastError ExitThread 64466->64468 64469 6beb80a2 __Getctype 37 API calls 64467->64469 64470 6beb2654 64469->64470 64477 6bebd456 64470->64477 64473 6beb266b 64483 6beb259a 16 API calls 2 library calls 64473->64483 64476 6beb268d 64478 6bebd468 GetPEB 64477->64478 64479 6beb265f 64477->64479 64478->64479 64480 6bebd47b 64478->64480 64479->64473 64482 6beba45f 5 API calls std::_Lockit::_Lockit 64479->64482 64484 6beba508 5 API calls std::_Lockit::_Lockit 64480->64484 64482->64473 64483->64476 64484->64479 64485 6bec01c3 64486 6bec01d5 __dosmaperr 64485->64486 64487 6bec01ed 64485->64487 64487->64486 64488 6bec0267 64487->64488 64490 6bec0238 __dosmaperr 64487->64490 64491 6bec0280 64488->64491 64492 6bec029b __dosmaperr 64488->64492 64493 6bec02d7 __wsopen_s 64488->64493 64527 6beb3810 18 API calls __fassign 64490->64527 64491->64492 64512 6bec0285 64491->64512 64520 6beb3810 18 API calls __fassign 64492->64520 64521 6beb7eab HeapFree GetLastError __dosmaperr 64493->64521 64494 6bec50d5 __wsopen_s 18 API calls 64496 6bec042e 64494->64496 64499 6bec04a4 64496->64499 64502 6bec0447 GetConsoleMode 64496->64502 64497 6bec02f7 64522 6beb7eab HeapFree GetLastError __dosmaperr 64497->64522 64501 6bec04a8 ReadFile 64499->64501 64504 6bec051c GetLastError 64501->64504 64505 6bec04c2 64501->64505 64502->64499 64506 6bec0458 64502->64506 64503 6bec02fe 64517 6bec02b2 __dosmaperr __wsopen_s 64503->64517 64523 6bebe359 20 API calls __wsopen_s 64503->64523 64504->64517 64505->64504 64508 6bec0499 64505->64508 64506->64501 64507 6bec045e ReadConsoleW 64506->64507 64507->64508 64509 6bec047a GetLastError 64507->64509 64513 6bec04fe 64508->64513 64514 6bec04e7 64508->64514 64508->64517 64509->64517 64512->64494 64516 6bec0515 64513->64516 64513->64517 64525 6bec05ee 23 API calls 3 library calls 64514->64525 64526 6bec08a6 21 API calls __wsopen_s 64516->64526 64524 6beb7eab HeapFree GetLastError __dosmaperr 64517->64524 64519 6bec051a 64519->64517 64520->64517 64521->64497 64522->64503 64523->64512 64524->64486 64525->64517 64526->64519 64527->64486

                              Executed Functions

                              Function 6BD24754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 8ebfc5726f4328aaa2fc77b6823b260977e527b03ff6401833c01765c8f953d4
                              • Instruction ID: 6c961bcfd79ff442d6ec08f80ef4ba5d3a0ecc1f109a06a12fdf87427cfde051
                              • Opcode Fuzzy Hash: 8ebfc5726f4328aaa2fc77b6823b260977e527b03ff6401833c01765c8f953d4
                              • Instruction Fuzzy Hash: 4A741671644B42CFC728CF28C8D0695B7E3EF95328B198A6DC1E68F655E778B44ACB40
                              Function 6BEA8930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4604 6bea8930-6bea8964 CreateToolhelp32Snapshot 4605 6bea8980-6bea8989 4604->4605 4606 6bea898b-6bea8990 4605->4606 4607 6bea89d0-6bea89d5 4605->4607 4608 6bea8a0d-6bea8a12 4606->4608 4609 6bea8992-6bea8997 4606->4609 4610 6bea89d7-6bea89dc 4607->4610 4611 6bea8a34-6bea8a62 call 6beaf010 Process32FirstW 4607->4611 4617 6bea8a8b-6bea8a90 4608->4617 4618 6bea8a14-6bea8a2f CloseHandle 4608->4618 4613 6bea8999-6bea899e 4609->4613 4614 6bea8966-6bea8973 4609->4614 4615 6bea89e2-6bea89e7 4610->4615 4616 6bea8a64-6bea8a71 Process32NextW 4610->4616 4620 6bea8a76-6bea8a86 4611->4620 4613->4605 4622 6bea89a0-6bea89ca call 6beb62f5 4613->4622 4614->4605 4615->4605 4623 6bea89e9-6bea8a08 4615->4623 4616->4620 4617->4605 4621 6bea8a96-6bea8aa4 4617->4621 4618->4605 4620->4605 4622->4605 4623->4605
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6BEA893E
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: 68cf69c9b45ae8b3ebc042b8408b849f001eff986b0958e5c2c4fc2115fd5bda
                              • Instruction ID: 703d9995c49a1ad21f1c0c095b2e3e41919f8bfb15580c83518c5f62b51f53ab
                              • Opcode Fuzzy Hash: 68cf69c9b45ae8b3ebc042b8408b849f001eff986b0958e5c2c4fc2115fd5bda
                              • Instruction Fuzzy Hash: E0316D70909341AFD7019F68C884B5EBBE8AF89708F20496DF4C8EA364D739D8958B53
                              Function 6BD23886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4877 6bd23886-6bd2388e 4878 6bd23970-6bd2397d 4877->4878 4879 6bd23894-6bd23896 4877->4879 4881 6bd239f1-6bd239f8 4878->4881 4882 6bd2397f-6bd23989 4878->4882 4879->4878 4880 6bd2389c-6bd238b9 4879->4880 4883 6bd238c0-6bd238c1 4880->4883 4885 6bd23ab5-6bd23aba 4881->4885 4886 6bd239fe-6bd23a03 4881->4886 4882->4880 4884 6bd2398f-6bd23994 4882->4884 4889 6bd2395e 4883->4889 4891 6bd23b16-6bd23b18 4884->4891 4892 6bd2399a-6bd2399f 4884->4892 4885->4880 4890 6bd23ac0-6bd23ac7 4885->4890 4887 6bd238d2-6bd238d4 4886->4887 4888 6bd23a09-6bd23a2f 4886->4888 4895 6bd23957-6bd2395c 4887->4895 4893 6bd23a35-6bd23a3a 4888->4893 4894 6bd238f8-6bd23955 4888->4894 4897 6bd23960-6bd23964 4889->4897 4890->4883 4896 6bd23acd-6bd23ad6 4890->4896 4891->4883 4898 6bd239a5-6bd239bf 4892->4898 4899 6bd2383b-6bd23855 call 6be72a20 call 6be72a30 4892->4899 4900 6bd23a40-6bd23a57 4893->4900 4901 6bd23b1d-6bd23b22 4893->4901 4894->4895 4895->4889 4896->4891 4902 6bd23ad8-6bd23aeb 4896->4902 4904 6bd23860-6bd23885 4897->4904 4905 6bd2396a 4897->4905 4906 6bd23a5a-6bd23a5d 4898->4906 4899->4904 4900->4906 4911 6bd23b24-6bd23b44 4901->4911 4912 6bd23b49-6bd23b50 4901->4912 4902->4894 4909 6bd23af1-6bd23af8 4902->4909 4904->4877 4914 6bd23ba1-6bd23bb6 4905->4914 4907 6bd23a87-6bd23aa7 4906->4907 4908 6bd23aa9-6bd23ab0 4906->4908 4907->4908 4908->4897 4916 6bd23b62-6bd23b85 4909->4916 4917 6bd23afa-6bd23aff 4909->4917 4911->4907 4912->4883 4919 6bd23b56-6bd23b5d 4912->4919 4915 6bd23bc0-6bd23bda call 6be72a20 call 6be72a30 4914->4915 4928 6bd23be0-6bd23bfe 4915->4928 4916->4894 4922 6bd23b8b 4916->4922 4917->4895 4919->4897 4922->4914 4931 6bd23c04-6bd23c11 4928->4931 4932 6bd23e7b 4928->4932 4934 6bd23ce0-6bd23cea 4931->4934 4935 6bd23c17-6bd23c20 4931->4935 4933 6bd23e81-6bd23ee0 call 6bd23750 GetCurrentThread NtSetInformationThread 4932->4933 4949 6bd23eea-6bd23f04 call 6be72a20 call 6be72a30 4933->4949 4937 6bd23d3a-6bd23d3c 4934->4937 4938 6bd23cec-6bd23d0c 4934->4938 4939 6bd23c26-6bd23c2d 4935->4939 4940 6bd23dc5 4935->4940 4943 6bd23d70-6bd23d8d 4937->4943 4944 6bd23d3e-6bd23d45 4937->4944 4942 6bd23d90-6bd23d95 4938->4942 4945 6bd23dc3 4939->4945 4946 6bd23c33-6bd23c3a 4939->4946 4947 6bd23dc6 4940->4947 4951 6bd23d97-6bd23db8 4942->4951 4952 6bd23dba-6bd23dc1 4942->4952 4943->4942 4950 6bd23d50-6bd23d57 4944->4950 4945->4940 4953 6bd23c40-6bd23c5b 4946->4953 4954 6bd23e26-6bd23e2b 4946->4954 4948 6bd23dc8-6bd23dcc 4947->4948 4948->4928 4956 6bd23dd2 4948->4956 4971 6bd23f75-6bd23fa1 4949->4971 4950->4947 4951->4940 4952->4945 4960 6bd23dd7-6bd23ddc 4952->4960 4955 6bd23e1b-6bd23e24 4953->4955 4957 6bd23e31 4954->4957 4958 6bd23c7b-6bd23cd0 4954->4958 4955->4948 4963 6bd23e76-6bd23e79 4956->4963 4957->4915 4958->4950 4961 6bd23e36-6bd23e3d 4960->4961 4962 6bd23dde-6bd23e17 4960->4962 4966 6bd23e3f-6bd23e5a 4961->4966 4967 6bd23e5c-6bd23e5f 4961->4967 4962->4955 4963->4933 4966->4955 4967->4958 4969 6bd23e65-6bd23e69 4967->4969 4969->4948 4969->4963 4975 6bd23fa3-6bd23fa8 4971->4975 4976 6bd24020-6bd24026 4971->4976 4979 6bd23fae-6bd23fcf 4975->4979 4980 6bd2407c-6bd24081 4975->4980 4977 6bd23f06-6bd23f35 4976->4977 4978 6bd2402c-6bd2403c 4976->4978 4985 6bd23f38-6bd23f61 4977->4985 4981 6bd240b3-6bd240b8 4978->4981 4982 6bd2403e-6bd24058 4978->4982 4983 6bd240aa-6bd240ae 4979->4983 4980->4983 4984 6bd24083-6bd2408a 4980->4984 4981->4979 4989 6bd240be-6bd240c9 4981->4989 4986 6bd2405a-6bd24063 4982->4986 4987 6bd23f6b-6bd23f6f 4983->4987 4984->4985 4988 6bd24090 4984->4988 4990 6bd23f64-6bd23f67 4985->4990 4991 6bd240f5-6bd2413f 4986->4991 4992 6bd24069-6bd2406c 4986->4992 4987->4971 4988->4949 4989->4983 4993 6bd240cb-6bd240d4 4989->4993 4994 6bd23f69 4990->4994 4991->4994 4995 6bd24072-6bd24077 4992->4995 4996 6bd24144-6bd2414b 4992->4996 4997 6bd240d6-6bd240f0 4993->4997 4998 6bd240a7 4993->4998 4994->4987 4995->4990 4996->4987 4997->4986 4998->4983
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2ae63a8b714414bba489cd355c9c8cb45e090141af238e26bf49429d306de0d0
                              • Instruction ID: 215abddc0f1a5060cbc902bceaa955b7b543047a7c5b3ea6d929cf354559bedc
                              • Opcode Fuzzy Hash: 2ae63a8b714414bba489cd355c9c8cb45e090141af238e26bf49429d306de0d0
                              • Instruction Fuzzy Hash: D332B032244B81CFC334CF28C890695B7E3EF913387698A6DC5EA4F655D779B44A8B50
                              Function 6BD23A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: c646a195b3cb7c5b5dbec25027f567f674e8d401275bd255f486bdfbdc49e010
                              • Instruction ID: ed1797eedf09726414b1c874b1081543daf51cafcbde22bbcb83b02d8433df22
                              • Opcode Fuzzy Hash: c646a195b3cb7c5b5dbec25027f567f674e8d401275bd255f486bdfbdc49e010
                              • Instruction Fuzzy Hash: A151D1715547818FC330CF28C880785B7A3BF95338F658A6DC5EA1F295DB78B44A8B51
                              Function 6BD239CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: f347434b2156c4530eee3764d65565441217ac221f0c6199a342cc09d76963c4
                              • Instruction ID: 76198416efe5a13849a47e2b505c7be1bbcf2454459664957da13fa883afd6d2
                              • Opcode Fuzzy Hash: f347434b2156c4530eee3764d65565441217ac221f0c6199a342cc09d76963c4
                              • Instruction Fuzzy Hash: A451DF71504B818FC330CF28C480795B7A3BF96338F658A6DC2EA5F295DB78B44A8B51
                              Function 6BD23D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6BD23E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD23EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: f2071f06ee368d180dd0568e2ddbcbdc30e22eaad80e0611e95ed7bf66899644
                              • Instruction ID: 214292a2cef700772390555f18016b58dba7820ceb4e39113a451305a648c0c0
                              • Opcode Fuzzy Hash: f2071f06ee368d180dd0568e2ddbcbdc30e22eaad80e0611e95ed7bf66899644
                              • Instruction Fuzzy Hash: 9F31F031555B81CFC334CF34C884786B7A2AF96328F258A2CC6EA5F291DB7870098B51
                              Function 6BD23D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6BD23E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD23EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 1ac148445f47fb27cd1f28fb753cd077e1866ee943c1ac468d0cb53a9739caba
                              • Instruction ID: 4078a6ddf6ac29eae9cfae2f31c28ac4f86f3ac493a10879a78d5b1663660d39
                              • Opcode Fuzzy Hash: 1ac148445f47fb27cd1f28fb753cd077e1866ee943c1ac468d0cb53a9739caba
                              • Instruction Fuzzy Hash: 3F310D31014B81CFC734CF28C480796B7A2AF92328F244A6CC6EA4F285DB79B049CB52
                              Function 6BD23C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6BD23E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6BD23EAA
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: 959dd2db84e5c4683be647fc5be99d5501b7061ab02bdd2050d0fba433c67f01
                              • Instruction ID: ebc8a41068963efa9146caf1ea7b7912ac6191db57457c05c43f24f2ef7b949f
                              • Opcode Fuzzy Hash: 959dd2db84e5c4683be647fc5be99d5501b7061ab02bdd2050d0fba433c67f01
                              • Instruction Fuzzy Hash: E721D171518781CFD7388F34C891796B7A2AF52328F644A2DC6FA4F290DB78A4498B51
                              Function 6BEA8810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6BEA8820
                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6BEA88C5
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Open$ManagerService
                              • String ID:
                              • API String ID: 2351955762-0
                              • Opcode ID: 5a05a511de8b2dd579a67f7679c2de04366c3075c3347f67f262a7dd01ea4d2e
                              • Instruction ID: 751a322250afa63819ec6eea687366e93ad994b2f800579a8c81ce9f6698cd8d
                              • Opcode Fuzzy Hash: 5a05a511de8b2dd579a67f7679c2de04366c3075c3347f67f262a7dd01ea4d2e
                              • Instruction Fuzzy Hash: 28311874928341AFC7008F28C849B0EBBF4AF89754F508859F488D7361D675C8598B63
                              Function 6BE9E090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6BE9E0AC
                              • FindClose.KERNEL32(000000FF), ref: 6BE9E0E2
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: 3a7bbcd372bef345fccf6ae733128089618bc100a9a75ea4f1404c0b7fbcc8e3
                              • Instruction ID: fcab06b4680da2824ee3783cdcb8b46a26053132d47efd8dcd19db5030b16afb
                              • Opcode Fuzzy Hash: 3a7bbcd372bef345fccf6ae733128089618bc100a9a75ea4f1404c0b7fbcc8e3
                              • Instruction Fuzzy Hash: 89116A7452C751DFD7109F28D944A4ABBE4BF86314F208D4AF4A9C73A0D738C8AC8B42
                              Function 6BEC01C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3722 6bec01c3-6bec01d3 3723 6bec01ed-6bec01ef 3722->3723 3724 6bec01d5-6bec01e8 call 6beb30cf call 6beb30bc 3722->3724 3726 6bec0554-6bec0561 call 6beb30cf call 6beb30bc 3723->3726 3727 6bec01f5-6bec01fb 3723->3727 3740 6bec056c 3724->3740 3745 6bec0567 call 6beb3810 3726->3745 3727->3726 3730 6bec0201-6bec0227 3727->3730 3730->3726 3733 6bec022d-6bec0236 3730->3733 3736 6bec0238-6bec024b call 6beb30cf call 6beb30bc 3733->3736 3737 6bec0250-6bec0252 3733->3737 3736->3745 3738 6bec0258-6bec025b 3737->3738 3739 6bec0550-6bec0552 3737->3739 3738->3739 3743 6bec0261-6bec0265 3738->3743 3744 6bec056f-6bec0572 3739->3744 3740->3744 3743->3736 3747 6bec0267-6bec027e 3743->3747 3745->3740 3750 6bec02cf-6bec02d5 3747->3750 3751 6bec0280-6bec0283 3747->3751 3755 6bec029b-6bec02b2 call 6beb30cf call 6beb30bc call 6beb3810 3750->3755 3756 6bec02d7-6bec02e1 3750->3756 3753 6bec0285-6bec028e 3751->3753 3754 6bec0293-6bec0299 3751->3754 3759 6bec0353-6bec0363 3753->3759 3754->3755 3760 6bec02b7-6bec02ca 3754->3760 3788 6bec0487 3755->3788 3757 6bec02e8-6bec0306 call 6beb7ee5 call 6beb7eab * 2 3756->3757 3758 6bec02e3-6bec02e5 3756->3758 3793 6bec0308-6bec031e call 6beb30bc call 6beb30cf 3757->3793 3794 6bec0323-6bec034c call 6bebe359 3757->3794 3758->3757 3762 6bec0428-6bec0431 call 6bec50d5 3759->3762 3763 6bec0369-6bec0375 3759->3763 3760->3759 3777 6bec04a4 3762->3777 3778 6bec0433-6bec0445 3762->3778 3763->3762 3766 6bec037b-6bec037d 3763->3766 3766->3762 3770 6bec0383-6bec03a7 3766->3770 3770->3762 3774 6bec03a9-6bec03bf 3770->3774 3774->3762 3779 6bec03c1-6bec03c3 3774->3779 3781 6bec04a8-6bec04c0 ReadFile 3777->3781 3778->3777 3783 6bec0447-6bec0456 GetConsoleMode 3778->3783 3779->3762 3784 6bec03c5-6bec03eb 3779->3784 3786 6bec051c-6bec0527 GetLastError 3781->3786 3787 6bec04c2-6bec04c8 3781->3787 3783->3777 3789 6bec0458-6bec045c 3783->3789 3784->3762 3792 6bec03ed-6bec0403 3784->3792 3795 6bec0529-6bec053b call 6beb30bc call 6beb30cf 3786->3795 3796 6bec0540-6bec0543 3786->3796 3787->3786 3797 6bec04ca 3787->3797 3791 6bec048a-6bec0494 call 6beb7eab 3788->3791 3789->3781 3790 6bec045e-6bec0478 ReadConsoleW 3789->3790 3798 6bec0499-6bec04a2 3790->3798 3799 6bec047a GetLastError 3790->3799 3791->3744 3792->3762 3803 6bec0405-6bec0407 3792->3803 3793->3788 3794->3759 3795->3788 3800 6bec0549-6bec054b 3796->3800 3801 6bec0480-6bec0486 call 6beb30e2 3796->3801 3807 6bec04cd-6bec04df 3797->3807 3798->3807 3799->3801 3800->3791 3801->3788 3803->3762 3810 6bec0409-6bec0423 3803->3810 3807->3791 3814 6bec04e1-6bec04e5 3807->3814 3810->3762 3815 6bec04fe-6bec0509 3814->3815 3816 6bec04e7-6bec04f7 call 6bec05ee 3814->3816 3822 6bec050b call 6bec0573 3815->3822 3823 6bec0515-6bec051a call 6bec08a6 3815->3823 3828 6bec04fa-6bec04fc 3816->3828 3829 6bec0510-6bec0513 3822->3829 3823->3829 3828->3791 3829->3828
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: f355c68af633cf79b62a83a7e0f1842aeba4da587abeb0e2fa009bf9db24fd63
                              • Instruction ID: 6460eeae948da868ede7631d8a798087f738343c85e3b3d917f3ccfc2a20a0a3
                              • Opcode Fuzzy Hash: f355c68af633cf79b62a83a7e0f1842aeba4da587abeb0e2fa009bf9db24fd63
                              • Instruction Fuzzy Hash: 6EC107B0E042459FDF15CFA8CA91BAFBBB0BF4A314F20409DE424A7342D7799955CB62
                              Function 6BEC775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3831 6bec775c-6bec778c call 6bec7bdc 3834 6bec778e-6bec7799 call 6beb30cf 3831->3834 3835 6bec77a7-6bec77b3 call 6bec4cfc 3831->3835 3840 6bec779b-6bec77a2 call 6beb30bc 3834->3840 3841 6bec77cc-6bec7815 call 6bec7b47 3835->3841 3842 6bec77b5-6bec77ca call 6beb30cf call 6beb30bc 3835->3842 3852 6bec7a81-6bec7a85 3840->3852 3850 6bec7817-6bec7820 3841->3850 3851 6bec7882-6bec788b GetFileType 3841->3851 3842->3840 3856 6bec7857-6bec787d GetLastError call 6beb30e2 3850->3856 3857 6bec7822-6bec7826 3850->3857 3853 6bec788d-6bec78be GetLastError call 6beb30e2 CloseHandle 3851->3853 3854 6bec78d4-6bec78d7 3851->3854 3853->3840 3868 6bec78c4-6bec78cf call 6beb30bc 3853->3868 3859 6bec78d9-6bec78de 3854->3859 3860 6bec78e0-6bec78e6 3854->3860 3856->3840 3857->3856 3861 6bec7828-6bec7855 call 6bec7b47 3857->3861 3864 6bec78ea-6bec7938 call 6bec4ea0 3859->3864 3860->3864 3865 6bec78e8 3860->3865 3861->3851 3861->3856 3874 6bec793a-6bec7946 call 6bec7d56 3864->3874 3875 6bec7957-6bec797f call 6bec7e00 3864->3875 3865->3864 3868->3840 3874->3875 3880 6bec7948 3874->3880 3881 6bec7984-6bec79c5 3875->3881 3882 6bec7981-6bec7982 3875->3882 3883 6bec794a-6bec7952 call 6bebf015 3880->3883 3884 6bec79e6-6bec79f4 3881->3884 3885 6bec79c7-6bec79cb 3881->3885 3882->3883 3883->3852 3888 6bec7a7f 3884->3888 3889 6bec79fa-6bec79fe 3884->3889 3885->3884 3887 6bec79cd-6bec79e1 3885->3887 3887->3884 3888->3852 3889->3888 3891 6bec7a00-6bec7a33 CloseHandle call 6bec7b47 3889->3891 3894 6bec7a35-6bec7a61 GetLastError call 6beb30e2 call 6bec4e0f 3891->3894 3895 6bec7a67-6bec7a7b 3891->3895 3894->3895 3895->3888
                              APIs
                                • Part of subcall function 6BEC7B47: CreateFileW.KERNEL32(00000000,00000000,?,6BEC7805,?,?,00000000,?,6BEC7805,00000000,0000000C), ref: 6BEC7B64
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEC7870
                              • __dosmaperr.LIBCMT ref: 6BEC7877
                              • GetFileType.KERNEL32(00000000), ref: 6BEC7883
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BEC788D
                              • __dosmaperr.LIBCMT ref: 6BEC7896
                              • CloseHandle.KERNEL32(00000000), ref: 6BEC78B6
                              • CloseHandle.KERNEL32(6BEBE7C0), ref: 6BEC7A03
                              • GetLastError.KERNEL32 ref: 6BEC7A35
                              • __dosmaperr.LIBCMT ref: 6BEC7A3C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: 88b97319b0d463b183127f6db40d7237eb3cc78b9da7e8530529bd687f79ae9d
                              • Instruction ID: 464fef3ca88581a4943ed9cdfb071f9a8fef5830756e6d10dbd7cbcb3cf44610
                              • Opcode Fuzzy Hash: 88b97319b0d463b183127f6db40d7237eb3cc78b9da7e8530529bd687f79ae9d
                              • Instruction Fuzzy Hash: DEA12732A141548FCF19DF78C951BAE7BB1AF07328F24418DE821AB390DB798916C752
                              Function 6BE7B4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6BE7B62F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID: *$,=ym$-=ym$-=ym$B$H
                              • API String ID: 3934441357-3163594065
                              • Opcode ID: a4ca726962f52929def86e935612dab8e1844b79a64042139c789e8ba451a5b0
                              • Instruction ID: 311ba3cd916ae228506ee1c5edf731eb638f7fe87476deb675b2cfba604d84db
                              • Opcode Fuzzy Hash: a4ca726962f52929def86e935612dab8e1844b79a64042139c789e8ba451a5b0
                              • Instruction Fuzzy Hash: D0728C70A183459FC724DF28C4A065EB7E2AF89704F248D6EE599CB350E778D886CB53
                              Function 6BD24200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: bec5d0c8e8cd841c625bd2b1ddf5f70b850ee335353ff549477ac3d74a0873c9
                              • Instruction ID: 2f4f8d36e7b20facba9fc372d954ca4cbbde438723c7c14486806ea2cc6f7b93
                              • Opcode Fuzzy Hash: bec5d0c8e8cd841c625bd2b1ddf5f70b850ee335353ff549477ac3d74a0873c9
                              • Instruction Fuzzy Hash: FB03E471644B01CFC728CF28C8D0696B7E3EFD63247198A6DC4EA4B696D778B44ACB50
                              Function 6BEA86E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4469 6bea86e0-6bea8767 CreateProcessA 4470 6bea878b-6bea8794 4469->4470 4471 6bea87b0-6bea87fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6bea8796-6bea879b 4470->4472 4471->4470 4473 6bea879d-6bea87a2 4472->4473 4474 6bea8770-6bea8783 4472->4474 4473->4470 4475 6bea87a4-6bea8807 4473->4475 4474->4470
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                              • String ID: D
                              • API String ID: 2059082233-2746444292
                              • Opcode ID: 44729fd083585fb7c03eb14f2fcb33688bccab31b2768f7b9c0af2191f504807
                              • Instruction ID: fce52a2031dce99703f350dc23032a61a6fc9609f8bea59440b534cb969e7747
                              • Opcode Fuzzy Hash: 44729fd083585fb7c03eb14f2fcb33688bccab31b2768f7b9c0af2191f504807
                              • Instruction Fuzzy Hash: AA31E271818380CFD740DF28C18471ABBF0AB99318F505A1EF8E986360D7789989CF43
                              Function 6BEBF34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4477 6bebf34e-6bebf36a 4478 6bebf529 4477->4478 4479 6bebf370-6bebf372 4477->4479 4480 6bebf52b-6bebf52f 4478->4480 4481 6bebf394-6bebf3b5 4479->4481 4482 6bebf374-6bebf387 call 6beb30cf call 6beb30bc call 6beb3810 4479->4482 4484 6bebf3bc-6bebf3c2 4481->4484 4485 6bebf3b7-6bebf3ba 4481->4485 4499 6bebf38c-6bebf38f 4482->4499 4484->4482 4487 6bebf3c4-6bebf3c9 4484->4487 4485->4484 4485->4487 4489 6bebf3cb-6bebf3d7 call 6bebe359 4487->4489 4490 6bebf3da-6bebf3eb call 6bebf530 4487->4490 4489->4490 4497 6bebf3ed-6bebf3ef 4490->4497 4498 6bebf42c-6bebf43e 4490->4498 4500 6bebf3f1-6bebf3f9 4497->4500 4501 6bebf416-6bebf422 call 6bebf5a1 4497->4501 4502 6bebf440-6bebf449 4498->4502 4503 6bebf485-6bebf4a7 WriteFile 4498->4503 4499->4480 4504 6bebf4bb-6bebf4be 4500->4504 4505 6bebf3ff-6bebf40c call 6bebf94b 4500->4505 4513 6bebf427-6bebf42a 4501->4513 4509 6bebf44b-6bebf44e 4502->4509 4510 6bebf475-6bebf483 call 6bebf9b3 4502->4510 4507 6bebf4a9-6bebf4af GetLastError 4503->4507 4508 6bebf4b2 4503->4508 4515 6bebf4c1-6bebf4c6 4504->4515 4521 6bebf40f-6bebf411 4505->4521 4507->4508 4514 6bebf4b5-6bebf4ba 4508->4514 4516 6bebf450-6bebf453 4509->4516 4517 6bebf465-6bebf473 call 6bebfb77 4509->4517 4510->4513 4513->4521 4514->4504 4522 6bebf4c8-6bebf4cd 4515->4522 4523 6bebf524-6bebf527 4515->4523 4516->4515 4524 6bebf455-6bebf463 call 6bebfa8e 4516->4524 4517->4513 4521->4514 4526 6bebf4f9-6bebf505 4522->4526 4527 6bebf4cf-6bebf4d4 4522->4527 4523->4480 4524->4513 4529 6bebf50c-6bebf51f call 6beb30bc call 6beb30cf 4526->4529 4530 6bebf507-6bebf50a 4526->4530 4531 6bebf4ed-6bebf4f4 call 6beb30e2 4527->4531 4532 6bebf4d6-6bebf4e8 call 6beb30bc call 6beb30cf 4527->4532 4529->4499 4530->4478 4530->4529 4531->4499 4532->4499
                              APIs
                                • Part of subcall function 6BEBF5A1: GetConsoleCP.KERNEL32(?,6BEBE7C0,?), ref: 6BEBF5E9
                              • WriteFile.KERNEL32(?,?,6BEC7DDC,00000000,00000000,?,00000000,00000000,6BEC91A6,00000000,00000000,?,00000000,6BEBE7C0,6BEC7DDC,00000000), ref: 6BEBF49F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6BEC7DDC,6BEBE7C0,00000000,?,?,?,?,00000000,?), ref: 6BEBF4A9
                              • __dosmaperr.LIBCMT ref: 6BEBF4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: a842bd115dd5725ecf50c2bbb3f60a228484caab726fa87b0c42fba4898435e7
                              • Instruction ID: fcd9f4178764af3b4b7dd35b2026e351d816950d299ea0f329aeeebf46b5b384
                              • Opcode Fuzzy Hash: a842bd115dd5725ecf50c2bbb3f60a228484caab726fa87b0c42fba4898435e7
                              • Instruction Fuzzy Hash: 4B51B479D0020AABDF05DFB4CA81BDEBBB9EF0A318F240455D510A7251D77CD9418BE1
                              Function 6BEA9280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4544 6bea9280-6bea928c 4545 6bea928e-6bea9299 4544->4545 4546 6bea92cd 4544->4546 4548 6bea929b-6bea92ad 4545->4548 4549 6bea92af-6bea92bc call 6bd701f0 call 6beb4208 4545->4549 4547 6bea92cf-6bea9347 4546->4547 4550 6bea9349-6bea9371 4547->4550 4551 6bea9373-6bea9379 4547->4551 4548->4549 4557 6bea92c1-6bea92cb 4549->4557 4550->4551 4553 6bea937a-6bea9439 call 6bd72250 call 6bd72340 call 6beaca69 call 6bd6e010 call 6beaa778 4550->4553 4557->4547
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BEA9421
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: 96e7d29c0fb8ffa09e83a81709420f2c6655af6b48791a05a82ef6027d31aed1
                              • Instruction ID: d5036a62ba843d2dd7ca98442c35b4e2ead139b0b33cba0d1a1260f2e6cc8ce8
                              • Opcode Fuzzy Hash: 96e7d29c0fb8ffa09e83a81709420f2c6655af6b48791a05a82ef6027d31aed1
                              • Instruction Fuzzy Hash: 495145B5900B008FD725CF25C481B97BBF5FB49318F108A6DD8864BB91D779B90ACB90
                              Function 6BE7CEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4567 6be7cea0-6be7cf03 call 6beaa260 4570 6be7cf40-6be7cf49 4567->4570 4571 6be7cf90-6be7cf95 4570->4571 4572 6be7cf4b-6be7cf50 4570->4572 4575 6be7d030-6be7d035 4571->4575 4576 6be7cf9b-6be7cfa0 4571->4576 4573 6be7cf56-6be7cf5b 4572->4573 4574 6be7d000-6be7d005 4572->4574 4581 6be7d065-6be7d08c 4573->4581 4582 6be7cf61-6be7cf66 4573->4582 4577 6be7d125-6be7d158 call 6beaea90 4574->4577 4578 6be7d00b-6be7d010 4574->4578 4579 6be7d17d-6be7d191 4575->4579 4580 6be7d03b-6be7d040 4575->4580 4583 6be7cfa6-6be7cfab 4576->4583 4584 6be7cf05-6be7cf21 WriteFile 4576->4584 4577->4570 4587 6be7d016-6be7d01b 4578->4587 4588 6be7d15d-6be7d175 4578->4588 4585 6be7d195-6be7d1a2 4579->4585 4589 6be7d1a7-6be7d1ac 4580->4589 4590 6be7d046-6be7d060 4580->4590 4593 6be7cf33-6be7cf38 4581->4593 4591 6be7d091-6be7d0aa WriteFile 4582->4591 4592 6be7cf6c-6be7cf71 4582->4592 4595 6be7cfb1-6be7cfb6 4583->4595 4596 6be7d0af-6be7d120 WriteFile 4583->4596 4586 6be7cf30 4584->4586 4585->4570 4586->4593 4587->4570 4598 6be7d021-6be7d02b 4587->4598 4588->4579 4589->4570 4597 6be7d1b2-6be7d1c0 4589->4597 4590->4585 4591->4586 4592->4570 4599 6be7cf73-6be7cf86 4592->4599 4593->4570 4595->4570 4601 6be7cfb8-6be7cfee call 6beaf010 ReadFile 4595->4601 4596->4586 4598->4586 4599->4593 4601->4586
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6BE7CFE1
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: ff00fa4e46d054ecdca7a6f8e20858f71960836653f50275f3628f1c8796af4a
                              • Instruction ID: 978786d5b0f039b43872d66d851062da3d0b93d86e458abc725a2807c5e68c86
                              • Opcode Fuzzy Hash: ff00fa4e46d054ecdca7a6f8e20858f71960836653f50275f3628f1c8796af4a
                              • Instruction Fuzzy Hash: 54716FB4258344AFD724DF28C884B5ABBE8BF89708F60482EF495C7350D379D995DB82
                              Function 6BE7C390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4626 6be7c390-6be7c406 call 6beaa260 call 6beaf010 4631 6be7c426-6be7c42f 4626->4631 4632 6be7c431-6be7c436 4631->4632 4633 6be7c490-6be7c495 4631->4633 4634 6be7c500-6be7c505 4632->4634 4635 6be7c43c-6be7c441 4632->4635 4636 6be7c570-6be7c575 4633->4636 4637 6be7c49b-6be7c4a0 4633->4637 4640 6be7c50b-6be7c510 4634->4640 4641 6be7c679-6be7c67e 4634->4641 4638 6be7c447-6be7c44c 4635->4638 4639 6be7c5bf-6be7c5c4 4635->4639 4642 6be7c6d6-6be7c6db 4636->4642 4643 6be7c57b-6be7c580 4636->4643 4644 6be7c4a6-6be7c4ab 4637->4644 4645 6be7c638-6be7c63d 4637->4645 4650 6be7c742-6be7c747 4638->4650 4651 6be7c452-6be7c457 4638->4651 4648 6be7c863-6be7c868 4639->4648 4649 6be7c5ca-6be7c5cf 4639->4649 4652 6be7c516-6be7c51b 4640->4652 4653 6be7c7de-6be7c7e3 4640->4653 4656 6be7c684-6be7c689 4641->4656 4657 6be7c8e2-6be7c8e7 4641->4657 4646 6be7c912-6be7c917 4642->4646 4647 6be7c6e1-6be7c6e6 4642->4647 4658 6be7c586-6be7c58b 4643->4658 4659 6be7c830-6be7c835 4643->4659 4660 6be7c796-6be7c79b 4644->4660 4661 6be7c4b1-6be7c4b6 4644->4661 4654 6be7c643-6be7c648 4645->4654 4655 6be7c8ab-6be7c8b0 4645->4655 4692 6be7c91d-6be7c922 4646->4692 4693 6be7ce1a-6be7ce29 4646->4693 4662 6be7cc12-6be7cc4d call 6beaf010 call 6be7b4d0 4647->4662 4663 6be7c6ec-6be7c6f1 4647->4663 4678 6be7cdb7-6be7cdbf 4648->4678 4679 6be7c86e-6be7c873 4648->4679 4676 6be7c5d5-6be7c5da 4649->4676 4677 6be7ca71-6be7ca9b call 6beaea90 4649->4677 4664 6be7cca3-6be7ccba 4650->4664 4665 6be7c74d-6be7c752 4650->4665 4680 6be7c93d-6be7c95b 4651->4680 4681 6be7c45d-6be7c462 4651->4681 4666 6be7c9a3-6be7c9b3 4652->4666 4667 6be7c521-6be7c526 4652->4667 4670 6be7ccfa-6be7cd23 4653->4670 4671 6be7c7e9-6be7c7ee 4653->4671 4682 6be7c64e-6be7c653 4654->4682 4683 6be7cb08-6be7cb34 4654->4683 4684 6be7c8b6-6be7c8bb 4655->4684 4685 6be7cdda-6be7cdf1 4655->4685 4688 6be7cb61-6be7cb85 4656->4688 4689 6be7c68f-6be7c694 4656->4689 4686 6be7c8ed-6be7c8f2 4657->4686 4687 6be7cdf9-6be7ce12 4657->4687 4672 6be7c591-6be7c596 4658->4672 4673 6be7c9fe-6be7ca3a 4658->4673 4674 6be7cd6c-6be7cd88 4659->4674 4675 6be7c83b-6be7c840 4659->4675 4668 6be7c7a1-6be7c7a6 4660->4668 4669 6be7c408-6be7c418 4660->4669 4690 6be7c4bc-6be7c4c1 4661->4690 4691 6be7c97a-6be7c984 4661->4691 4752 6be7cc52-6be7cc72 4662->4752 4694 6be7cc77-6be7cc88 4663->4694 4695 6be7c6f7-6be7c6fc 4663->4695 4726 6be7ccbc-6be7ccc4 4664->4726 4697 6be7ccc9-6be7ccd8 4665->4697 4698 6be7c758-6be7c75d 4665->4698 4716 6be7c9bd-6be7c9c5 4666->4716 4667->4716 4717 6be7c52c-6be7c531 4667->4717 4700 6be7cce0-6be7ccf5 4668->4700 4701 6be7c7ac-6be7c7b1 4668->4701 4704 6be7c41d 4669->4704 4670->4631 4702 6be7c7f4-6be7c7f9 4671->4702 4703 6be7cd28-6be7cd67 4671->4703 4719 6be7ca43-6be7ca6c 4672->4719 4720 6be7c59c-6be7c5a1 4672->4720 4673->4719 4696 6be7cd8a-6be7cd98 4674->4696 4705 6be7c846-6be7c84b 4675->4705 4706 6be7cd9d-6be7cdad 4675->4706 4721 6be7caa0-6be7cb03 call 6be7ce50 CreateFileA 4676->4721 4722 6be7c5e0-6be7c5e5 4676->4722 4677->4631 4699 6be7cdc4-6be7cdd5 4678->4699 4707 6be7ce31-6be7ce36 4679->4707 4708 6be7c879-6be7c8a6 4679->4708 4680->4696 4709 6be7c960-6be7c975 4681->4709 4710 6be7c468-6be7c46d 4681->4710 4724 6be7cb39-6be7cb5c 4682->4724 4725 6be7c659-6be7c65e 4682->4725 4683->4631 4684->4631 4711 6be7c8c1-6be7c8dd 4684->4711 4685->4687 4686->4631 4712 6be7c8f8-6be7c90d 4686->4712 4687->4693 4688->4631 4727 6be7cb8a-6be7cc0d 4689->4727 4728 6be7c69a-6be7c69f 4689->4728 4713 6be7c4c7-6be7c4cc 4690->4713 4714 6be7c989-6be7c99e 4690->4714 4691->4631 4692->4631 4715 6be7c928-6be7c938 4692->4715 4693->4707 4737 6be7cc8d-6be7cc9e 4694->4737 4695->4631 4729 6be7c702-6be7c73d 4695->4729 4696->4631 4697->4700 4698->4631 4730 6be7c763-6be7c791 4698->4730 4699->4631 4700->4704 4701->4631 4731 6be7c7b7-6be7c7d9 4701->4731 4702->4631 4732 6be7c7ff-6be7c82b 4702->4732 4703->4631 4733 6be7c420-6be7c424 4704->4733 4705->4631 4735 6be7c851-6be7c85e 4705->4735 4706->4678 4707->4631 4734 6be7ce3c-6be7ce47 4707->4734 4708->4631 4709->4631 4710->4631 4736 6be7c46f-6be7c483 4710->4736 4711->4737 4712->4631 4713->4631 4738 6be7c4d2-6be7c4fa call 6be72a20 call 6be72a30 4713->4738 4714->4733 4715->4699 4739 6be7c9ca-6be7c9f9 4716->4739 4717->4631 4740 6be7c537-6be7c561 4717->4740 4719->4631 4720->4631 4742 6be7c5a7-6be7c5ba 4720->4742 4721->4631 4722->4631 4744 6be7c5eb-6be7c633 4722->4744 4724->4631 4725->4631 4746 6be7c664-6be7c674 4725->4746 4726->4631 4727->4631 4728->4631 4747 6be7c6a5-6be7c6d1 4728->4747 4729->4631 4730->4726 4731->4696 4732->4631 4733->4631 4735->4739 4736->4699 4737->4631 4738->4631 4739->4631 4740->4631 4742->4631 4744->4631 4746->4739 4747->4631 4752->4631
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @*Z$@*Z
                              • API String ID: 0-2842812045
                              • Opcode ID: 4d036ea302e5d0d3d4bce7cc92bc20d497ca689c892f27b2f4879c16f65911f5
                              • Instruction ID: 75bb758d1380f811c9d380198a5b6b00ae524f99c454505981aafeea1c163a58
                              • Opcode Fuzzy Hash: 4d036ea302e5d0d3d4bce7cc92bc20d497ca689c892f27b2f4879c16f65911f5
                              • Instruction Fuzzy Hash: 4A426970A093429FCB24DF28C49166EBBE5AB89704F244D6EF499D7351E339D946CB03
                              Function 6BEBF015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4755 6bebf015-6bebf029 call 6bec4c92 4758 6bebf02b-6bebf02d 4755->4758 4759 6bebf02f-6bebf037 4755->4759 4760 6bebf07d-6bebf09d call 6bec4e0f 4758->4760 4761 6bebf039-6bebf040 4759->4761 4762 6bebf042-6bebf045 4759->4762 4770 6bebf0ab 4760->4770 4771 6bebf09f-6bebf0a9 call 6beb30e2 4760->4771 4761->4762 4764 6bebf04d-6bebf061 call 6bec4c92 * 2 4761->4764 4765 6bebf063-6bebf073 call 6bec4c92 CloseHandle 4762->4765 4766 6bebf047-6bebf04b 4762->4766 4764->4758 4764->4765 4765->4758 4777 6bebf075-6bebf07b GetLastError 4765->4777 4766->4764 4766->4765 4775 6bebf0ad-6bebf0b0 4770->4775 4771->4775 4777->4760
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6BEC794F), ref: 6BEBF06B
                              • GetLastError.KERNEL32(?,00000000,?,6BEC794F), ref: 6BEBF075
                              • __dosmaperr.LIBCMT ref: 6BEBF0A0
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 33aa8055e1f46cbdab0a04f08d547c5d4bbe1d51d433aa9ffd811dc904c68e35
                              • Instruction ID: 367bec0fa4e488318c559058a0662b12ed12b6b9320ad92835ff9c57066c6f17
                              • Opcode Fuzzy Hash: 33aa8055e1f46cbdab0a04f08d547c5d4bbe1d51d433aa9ffd811dc904c68e35
                              • Instruction Fuzzy Hash: 61010836A052202ADA1413389B45B6E37694F8373CF35458EE926863F1EF7DC85182D1
                              Function 6BEB428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 5000 6beb428c-6beb4297 5001 6beb4299-6beb42ac call 6beb30bc call 6beb3810 5000->5001 5002 6beb42ae-6beb42bb 5000->5002 5012 6beb4300-6beb4302 5001->5012 5003 6beb42bd-6beb42d2 call 6beb43a9 call 6bebbe2e call 6bebd350 call 6bebef88 5002->5003 5004 6beb42f6-6beb42ff call 6bebe565 5002->5004 5019 6beb42d7-6beb42dc 5003->5019 5004->5012 5020 6beb42de-6beb42e1 5019->5020 5021 6beb42e3-6beb42e7 5019->5021 5020->5004 5021->5004 5022 6beb42e9-6beb42f5 call 6beb7eab 5021->5022 5022->5004
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 0208f46957a705a2b8c02ab44fc0fe4ded18397d9f8dfcdd33d02bdd1e4f164d
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 5AF0D133841A105AD6215B399F02B8B33B88F4233DF300B5AE960922D0DB3CD40296E2
                              Function 6BEA9050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BEA91A4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6BEA91E4
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: 656fa59137fb2901ca49c092d8cfea60f7f30463f9744381143b59cb7a3b925c
                              • Instruction ID: 49e0738f83487c3a910e99df3502c5fb0187a56e00954b905a0f33774ad4802c
                              • Opcode Fuzzy Hash: 656fa59137fb2901ca49c092d8cfea60f7f30463f9744381143b59cb7a3b925c
                              • Instruction Fuzzy Hash: BD513574601B00DBD725CF24C885BA7BBF4FF05728F508A5CE4AA4B291DB39B945CB91
                              Function 6BEB262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6BED9DD0,0000000C), ref: 6BEB2642
                              • ExitThread.KERNEL32 ref: 6BEB2649
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 2e5d8e86b4a7d53582fe2f76c4ced876163023f8eb911c178ee73690410d2ce8
                              • Instruction ID: d2e2b8738e5a1d068c9aa07eb665a45ee32714bb8dd14f97b0eb7b6541390142
                              • Opcode Fuzzy Hash: 2e5d8e86b4a7d53582fe2f76c4ced876163023f8eb911c178ee73690410d2ce8
                              • Instruction Fuzzy Hash: 5BF0CD70940205AFDF04ABB0CA4AE6E7B74FF45308F30415DE402AB2A1CF7DA941CBA1
                              Function 6BEBE662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: c91d568f7ef6551d125ca002e3a86f704e9f12e6fa6dce7d4c0cf31fbe160fb5
                              • Instruction ID: ec5c08e11fa2f0a789ae17706a872c32ebec1030e9d40bce663766625cfe9dc4
                              • Opcode Fuzzy Hash: c91d568f7ef6551d125ca002e3a86f704e9f12e6fa6dce7d4c0cf31fbe160fb5
                              • Instruction Fuzzy Hash: 82116A72A0460AAFCB05CF58E94599B3BF8EF48304F2444A9F809AB311D630E911CBA5
                              Function 6BEC76EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: d965bcb959ac7dcee7c2c8b4e08bbe5ab946d5ac0a314cadd3f33fd67a5f2bf3
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: 41012C72C0015DAFCF419FB88D01AEE7FB5AF08214F244269A924E2150EB358A619B91
                              Function 6BEC7B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6BEC7805,?,?,00000000,?,6BEC7805,00000000,0000000C), ref: 6BEC7B64
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 03e25c0ace731455e486f36de0c8cadcaf953ee01743c17219ca290ef26c88bc
                              • Instruction ID: 600d806c8eb7e0d586e963d7a3a1250553d9b8abbe4a5bf369f8895b495ae568
                              • Opcode Fuzzy Hash: 03e25c0ace731455e486f36de0c8cadcaf953ee01743c17219ca290ef26c88bc
                              • Instruction Fuzzy Hash: 16D06C3200014DBBDF028F84DC06EDA3BAAFB88715F014100BA1856020C772E861AB90
                              Function 6BD783A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: 64216a7a83cce0a7401016f01d7ba189ff8ffacc272684a8ca341c696783f3d1
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6BEA4860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: C
                              • API String ID: 4218353326-4157497815
                              • Opcode ID: 26033ed8b0c900be0c873047d9f93789061081b19ad7415b105345faa45cdf60
                              • Instruction ID: ef66e26df0c77c4e2727623d5a2f479ab961899e9c5b5b74d0b755fe661b94a1
                              • Opcode Fuzzy Hash: 26033ed8b0c900be0c873047d9f93789061081b19ad7415b105345faa45cdf60
                              • Instruction Fuzzy Hash: 19730971644B018FC728CF28C8D0A95B7F6BFD53187298A6DC0A74BB55EB78B54ACB40
                              Function 6BEA9450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6BEA945A
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6BEA9466
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6BEA9474
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6BEA949B
                              • NtInitiatePowerAction.NTDLL ref: 6BEA94AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: f12ed2726b6481791d34112ef5bb444aef4a43ddd5542eeca752db248ef29454
                              • Instruction ID: fcec8f702ad4a187e559c5596cf0f35e68c8666893961c382791dcb29aeb4ce2
                              • Opcode Fuzzy Hash: f12ed2726b6481791d34112ef5bb444aef4a43ddd5542eeca752db248ef29454
                              • Instruction Fuzzy Hash: ECF0B470544304EFEA046F28CD0EF5E7BE8EF45701F004518F945AA1E5D7B0A988CBA2
                              Function 6BD21950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: 6d382600605fe2337f8d9016ce6d775e281cbabddbc97f6ed45d5bb9ef4929e8
                              • Instruction ID: 8f0a061146a61dfc3a6a1d171a9886acefda3ad7fe8844959b3899ed103c12f5
                              • Opcode Fuzzy Hash: 6d382600605fe2337f8d9016ce6d775e281cbabddbc97f6ed45d5bb9ef4929e8
                              • Instruction Fuzzy Hash: 1D420374608382CFC724CF68C48165ABBE1BB8A368F14896EE5E5DB360D339D945CB53
                              Function 6BF09CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BF09CE5
                                • Part of subcall function 6BEDFC2A: __EH_prolog.LIBCMT ref: 6BEDFC2F
                                • Part of subcall function 6BEE16A6: __EH_prolog.LIBCMT ref: 6BEE16AB
                                • Part of subcall function 6BF09A0E: __EH_prolog.LIBCMT ref: 6BF09A13
                                • Part of subcall function 6BF09837: __EH_prolog.LIBCMT ref: 6BF0983C
                                • Part of subcall function 6BF0D143: __EH_prolog.LIBCMT ref: 6BF0D148
                                • Part of subcall function 6BF0D143: ctype.LIBCPMT ref: 6BF0D16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction ID: 61b3fe614ee1973ea1b4d297f3e78c95ba0a8e2e5852ad642489f387b79f7685
                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction Fuzzy Hash: 27039D32904249DFDF15CBA8C961BDCBBB1AF15308F2080D9D449672B1DF785A8AEF61
                              Function 6BEB3871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6BEB3969
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6BEB3973
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6BEB3980
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 23b3a045511a3e71027e805ced57b24ebb065a54ab0e46f69c233ba25f16428b
                              • Instruction ID: cf4899d271ff3a9a01b4595911680a4d99c8015775991181909a44a4b5bda148
                              • Opcode Fuzzy Hash: 23b3a045511a3e71027e805ced57b24ebb065a54ab0e46f69c233ba25f16428b
                              • Instruction Fuzzy Hash: F431C574D0122CABCB21DF24D989B8DBBB8BF08714F6045EAE41CA7250E7749B858F44
                              Function 6BEB286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,6BEB2925,?,?,?,?), ref: 6BEB288F
                              • TerminateProcess.KERNEL32(00000000,?,6BEB2925,?,?,?,?), ref: 6BEB2896
                              • ExitProcess.KERNEL32 ref: 6BEB28A8
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 5766c37b42c6593bc62ffd5c8d151340e61ab0337dccd5fb909bb988a2bdc63f
                              • Instruction ID: 6ef78d39dd1866634258104c35e79a67756281fdec871336e5bd9e0874d4a634
                              • Opcode Fuzzy Hash: 5766c37b42c6593bc62ffd5c8d151340e61ab0337dccd5fb909bb988a2bdc63f
                              • Instruction Fuzzy Hash: B1E08C31440108AFCF016F20DA08A4C3F79FF89745B204468F80886220CB7EE892CB80
                              Function 6BEDBEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: ffb24de7abdd781df763cdf1bbb1894f491c9a58fa1eb2c2554d1a7f963a0348
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: 2891B031E04119DACF04DFB8D8919EDB772AF15388F3080AED45667391EBB95987CB90
                              Function 6BEAA133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6BEAAFA0
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6BEAB7C3
                                • Part of subcall function 6BEACA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6BEAB7AC,00000000,?,?,?,6BEAB7AC,?,6BED853C), ref: 6BEACAC9
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: f47de79375665f8442214f22b2b302c0ebdaea0fc9470045159184d96fa5556c
                              • Instruction ID: 760d4119862bd551f22cd45b08315f4af71021d8c25c1c50c0178bfb64ba0a83
                              • Opcode Fuzzy Hash: f47de79375665f8442214f22b2b302c0ebdaea0fc9470045159184d96fa5556c
                              • Instruction Fuzzy Hash: 68B15C71D14609EBDB08CF69C89179EBBB9FB49314F20816AE815AB3A0D378D558CF90
                              Function 6BEDB972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: fc7361d826482b4a2e090710693587bb9d0340cb15ff65a0fb17459f46889ada
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: F2215137BA49564BD74CCA28EC33EB96681E745305B89527EE94BCB3E1DF5D8800CA48
                              Function 6BEF840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BEF840F
                                • Part of subcall function 6BEF9137: __EH_prolog.LIBCMT ref: 6BEF913C
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 4a7f335c9b45e59297348e1f96b8298cc2706d22b61f05cf55f4b4be32f0cd30
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: 35625B71D00259CFDF15CFA5C895BDDBBB9BF04308F2044AAE819AB281D7789A52CF91
                              Function 6BF50AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: 990b5c2b80e725b944542f91608617196600ccd718e480ea9d54364e48a49260
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: 7442E1736083918FC315CF38C49069ABBE2EFE9308F14496DE8D58B362D6B5D956CB42
                              Function 6BEE3BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 8ae14a997046932b899b6ab81356b38cfc18f0deb27af88b7ec8f41c201f82d1
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: C651F971A082459BD711CF5AC4C02EDFBF6EF79214F24C05EE88897252D27A999BC760
                              Function 6BF5CE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: a019a5146fe7d3035816815abcb11ec1cb427483d6c44165519de49618e0f39d
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 4502BC376493408BD324CF28C490B9EBBE2AFE8704F104A6DE4C597365D778E956CB92
                              Function 6BEDF7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: d2f90c06c95569c99f6a3a558290364e8c3cf30038f06559bdd3405c0164d26a
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: A8519473E208214AD79CCE24EC2177572D2E784310F8BC1B99D4BAB6E6DD78989187C4
                              Function 6BFB7A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: B
                              • API String ID: 0-1255198513
                              • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                              • Instruction ID: db6c1eded46c21932769cd991fea69e85ef40337af720136816b4586916c6e46
                              • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                              • Instruction Fuzzy Hash: 053124315087518BD314DF68D884AABB3E2FBC4326F60CA3ED89ACBA94E7745815CF41
                              Function 6BF53020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: 23664a67063dea241a1c50a276a751bcb72be74f80f983981a170300660202b6
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: B1526A73608B418BD328CF2DC4906AAB7E2BBA5308F148A6DD4DB87751DB78F455CB41
                              Function 6BF6D930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: a1a78b79710c24c703fc11bd4fbbd5f80c81ef0ef0f8dce6f01d83af55867a15
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: C062F6B6A483458FC714CF29C58061AFBF1BFC9784F208A6EE89987325E775D845CB42
                              Function 6BF56D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: 8dc160b7c69cc8470ecfab1a5cf55abdf8f779323cb926a71cfe9dbcd7405756
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: 5112BF736083468FC718CF28C49066AFBE2BF98304F54896DE8DA87761D739E855CB91
                              Function 6BF67AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: c6f086fdbeb207f02a3a95cbd10f978ffb907c58604a9a173c5b9c9323e539fb
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: EC02EC33E083518BD319CE2CC490259BBF2FBC4395F150A2EEC9697664F7789949CB92
                              Function 6BF52A50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: c67eb747847cdfc9eaeed7cff2b0c4bebc2e89777d0bd9ca5ae9210e54b29270
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: C0F101336042898BEB24CE28D8507EEBBE2FBD5310F54463DD889CB351DB3A955AC791
                              Function 6BF625C0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: 53df38d51b5f09cd7bc1e8e6de0a291c4ddc53cb26309e185da5feecf1500ee3
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: 66D101725046168FD719CF1CC894636BBE1FF86380F054ABDDDA28B3A6E73A9505CB50
                              Function 6BFF4F0A Relevance: .3, Instructions: 332COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                              • Instruction ID: 1705d1d03abafed8d0b4c35e1d684221032b984197efd8b463ff633788c2657b
                              • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                              • Instruction Fuzzy Hash: 0CB1C8366087128BE718DE7CD8909FB73E2EBC1320F94863DE596C79C4DB35951A8B81
                              Function 6BF55580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: 70e15a49e329d956ce99425f18a650608a47eff466fa3e2b0bcccd1fd1af6a60
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: 3DC1B4372047458BC718CE39D0A06A7BBE2EFEA314F148A6DC5CE4B765DA34A40ECB55
                              Function 6BF51810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 392299ed1c3d46c7444e3f33f7f29dbf36299466ee7798c6fa257c370308acf7
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: B9B1C233304B064BE324DE39C891BDAB7E1AF95708F00456DC59A87261EF79B619C791
                              Function 6BF54AA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: 267016c82f60ff41c0b050901c326a660785592ff9dbf362b2f5f2ed4c53abf3
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: B3B1CF766087028BC304DF29C8806ABF7E2FFD8304F14896DD49AC7325E775A56ACB95
                              Function 6BF5C9F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: 113d2426a4dee365b69bc6a43d0dd4ccc523c5de08ff8761e59178dec8f2ceea
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: 38A1E5735083418FC314CF29C49069ABBE1ABE5348F54496DE4DBC7361E639E996CB42
                              Function 6BF5C6E0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: 935d98ca19ee793ebb1a5ad0b3b07fa987ae3a3997ff1c2483d12ea7a50d8539
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: 3781A536A047058FC320CF29C480696F7E1FFA9714F28C9ADC5999B721E776E946CB81
                              Function 6C013881 Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                              • Instruction ID: 58395fde19d7ada51e146460beabc951d6c7996d49bdd5fe7c7cfddef4de0115
                              • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                              • Instruction Fuzzy Hash: E251A936A166224BC70CDA3CD8615E73392EBC5370B58C73EE59AC79D4EB7A940BC600
                              Function 6BEF3B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: f0fac779531540370322683ca5004da159cb859486bd1714835cd895abc9223b
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: 2051CF72F006099BDB18CF98DD926EDB7F6EB88304F24816DD015E7381D7799A42CB51
                              Function 6C07B06F Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                              • Instruction ID: fdec5a634526493d3c88b9e12dbc90aa624831191a0184b8dcba3c2e6ccafc92
                              • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                              • Instruction Fuzzy Hash: 9F5147365087068BC314DF6CE8409EAB3E1AFC5320F618B3EE495CB8D1EB755129CB46
                              Function 6BEF5EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: 5baaeb11e1ddc450be3e854fa10ca1f7f9ce424c56cb62b0744f5ecaa7f86f08
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: A93114277A440103C70CCD2BCC1279F91976BE522A76EDBB9AD09CAF55D52CC8235144
                              Function 6C02CB30 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b99c78fee83379869537550faa136deb0a43d6b54d165580d91fa67e89bc1b6
                              • Instruction ID: 684cb785e10329d76509ddad96ffebeb5114eeb83a2b427b4ac63c5db932eab6
                              • Opcode Fuzzy Hash: 8b99c78fee83379869537550faa136deb0a43d6b54d165580d91fa67e89bc1b6
                              • Instruction Fuzzy Hash: C6418B72A487168FD314DE58EC804EAB3A6EFC8320F904B3D9866872D5D771691A8390
                              Function 6C088D12 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                              • Instruction ID: a11dde7da63ef44665c42104ba32fed6c3258709220921bd7320b4d0b1537b62
                              • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                              • Instruction Fuzzy Hash: 42315732A147228BD728CA79D4501ABB3E2EBC5318B55CB2DC4568B599EB75600BCB82
                              Function 6BF7C700 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: e5cf93e408a382bc9f31ca75d2dc9fba13bbea1c02d310a5bc119250e9b24c38
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: A1218E77320A0647E74C8A38D83737532D0A705318F98A26DEA6BCE2C2D73AC457C385
                              Function 6BEBD456 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b6d97380eff263838bb2ef6765b25fc072bbb9872304b693dd93d1ddabe30f69
                              • Instruction ID: 02d5c7116c6f61dad98dbc6e5779a780873f9c28feaad88e7f3750fb19789838
                              • Opcode Fuzzy Hash: b6d97380eff263838bb2ef6765b25fc072bbb9872304b693dd93d1ddabe30f69
                              • Instruction Fuzzy Hash: 8AF0E532A50220DFCB1ACB4CC505F8973BCEB05BA4F21909AE401DB250C7B8EE10C7C0
                              Function 6BEBD425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: 3cbcf9bb375db6990cbf579304cd149d48a55a8aed32a5d7c0a9a2a29e93591d
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: B2E08C32951238EBCB19CB98CA04D8AF3ECEB45B04B2140AAF505D3210D678EE00CBD0
                              Function 6BF7A720 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction ID: fabb8adb9a1fa3e02338c149079a75254e0c7a032612ed888cf0541485102a5a
                              • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction Fuzzy Hash: E5C08CA312810017C312EA25A8C0BAAF6B37360330F238C7EA0A2E7E43C328C0658111
                              Function 6BF11B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 689a5693672ced5d253561b79db13b97cb572873e472296e6857d38e3e260d60
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: DED1B372A0821ADFCF11CFA4D990BEEB7B5FF15304F208959E055A3270DB79AA45CB60
                              Function 6BEF9798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: cc4aef98bb929d6e32381b0c9bda1cf587d0c95212cb64739910926911ee5322
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: F6125875D0020AEFDF10DFA4C880ADDBBB9FF48318F2081ADE955AB251D7399956CB50
                              Function 6BEAD1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6BEAD1F7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6BEAD1FF
                              • _ValidateLocalCookies.LIBCMT ref: 6BEAD288
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6BEAD2B3
                              • _ValidateLocalCookies.LIBCMT ref: 6BEAD308
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: b962360ba94a7dc6771c4f401ae89b0c221fa48f5d2f8df6eb7a06b28e376d7e
                              • Instruction ID: 95716616ee71070a04f4efe029039755be251288cf63ba5946b98b698d715025
                              • Opcode Fuzzy Hash: b962360ba94a7dc6771c4f401ae89b0c221fa48f5d2f8df6eb7a06b28e376d7e
                              • Instruction Fuzzy Hash: CD418638940219AFCF00DF78C854A9E7BB9AF45318F20C599EC259F351D739DA16CBA1
                              Function 6BEBA58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: d448bb9d5634fdb603f84d8f9f7789c8d9ab88a580e1bc08585dcd326a1dcaeb
                              • Instruction ID: d768a7c66b5adb269a5eadcc6df3692e685a609ba7cc54e9d745bb12e9061ee0
                              • Opcode Fuzzy Hash: d448bb9d5634fdb603f84d8f9f7789c8d9ab88a580e1bc08585dcd326a1dcaeb
                              • Instruction Fuzzy Hash: E521C9B1D85220EBDF218B6CDE44A0B37A49B56764F313168E811A7384DF7CDD1286E0
                              Function 6BEBF5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6BEBE7C0,?), ref: 6BEBF5E9
                              • __fassign.LIBCMT ref: 6BEBF7C8
                              • __fassign.LIBCMT ref: 6BEBF7E5
                              • WriteFile.KERNEL32(?,6BEC91A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BEBF82D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6BEBF86D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BEBF919
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: de6e286cd52a0a7ab32bda8b890ed36220e9a011e35b1999062f326031562440
                              • Instruction ID: 039ac36712b635445bef3288669c77051539478eb2925c30c61b625ab2325597
                              • Opcode Fuzzy Hash: de6e286cd52a0a7ab32bda8b890ed36220e9a011e35b1999062f326031562440
                              • Instruction Fuzzy Hash: 18D1BD79D002589FCF15CFA8C9909EDBBB5BF49314F24016AE855BB341E7389946CB90
                              Function 6BD72F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BD72F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BD72FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD72FD0
                              • __Getctype.LIBCPMT ref: 6BD73084
                              • std::_Facet_Register.LIBCPMT ref: 6BD7309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BD730B7
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 271a8507c61b3ec6d05d86977dfef5ecfdbd06a9666ae77ed4d2411862a0d53f
                              • Instruction ID: 290af712df994f68b2440cb0732947b3aa75305300fae49e59d0e7d3b65d40af
                              • Opcode Fuzzy Hash: 271a8507c61b3ec6d05d86977dfef5ecfdbd06a9666ae77ed4d2411862a0d53f
                              • Instruction Fuzzy Hash: EF4137B1E00218CFCB24DFA4C855B9EB7B4FF44724F148169D859AB350DB78A905CBA1
                              Function 6BEE7FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: 28d59475a173a164d6e7c8edd46fd40d424e9afc0b1293acb9776c1a6fb3bab9
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: 5B21C33194021ABEEF20AFA4DC41D8F7AAAFB417A8F308276B524611A0D2769D61D671
                              Function 6BEED6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BEED6F1
                                • Part of subcall function 6BEFC173: __EH_prolog.LIBCMT ref: 6BEFC178
                              • __EH_prolog.LIBCMT ref: 6BEED8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 45819dc97abfcd98cf6f094fe0aba433dd9a8ad7ffdd19eb529bbecc9dda051e
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: 2871C435940255DFDB14DFA8C441BEDB7B4BF54308F20C4ADD8556B391CB78AA4ACBA0
                              Function 6BEC90FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6BEC91CD
                              • _free.LIBCMT ref: 6BEC91F6
                              • SetEndOfFile.KERNEL32(00000000,6BEC7DDC,00000000,6BEBE7C0,?,?,?,?,?,?,?,6BEC7DDC,6BEBE7C0,00000000), ref: 6BEC9228
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6BEC7DDC,6BEBE7C0,00000000,?,?,?,?,00000000,?), ref: 6BEC9244
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: 388cef0dcfcf184020973af0a3ffdafcc1f68e774d0511a8fd8fd2ede00b7f32
                              • Instruction ID: bad78b3fd365b527b0d85c8fb936814edfab0e470addb279e4d6ecbbe7adfb49
                              • Opcode Fuzzy Hash: 388cef0dcfcf184020973af0a3ffdafcc1f68e774d0511a8fd8fd2ede00b7f32
                              • Instruction Fuzzy Hash: 4041C43A900605ABDB129FB8CE47B8F3775AF4532CF361558E874A7291EB3CC8514762
                              Function 6BF01418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BF0141D
                                • Part of subcall function 6BF01E40: __EH_prolog.LIBCMT ref: 6BF01E45
                                • Part of subcall function 6BF018EB: __EH_prolog.LIBCMT ref: 6BF018F0
                                • Part of subcall function 6BF01593: __EH_prolog.LIBCMT ref: 6BF01598
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: c1ad27abadfc7378b423c98823dd2df21db2eb3a181536f4e50805969097ed91
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 9321BB71D01258AECF04DBF4D9929EDBBB5AF25318F20402DE41227290DFB81F09CB61
                              Function 6BF01234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: a6cc8bec571d81b489bfe9574f8896fa9559de4f883a3c27e499804f12874341
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 4B11F5B1900B64CEC720CF6AC45019AFBE8BFA5708B10C91FC0A687B20DBF8A505CB94
                              Function 6BEB281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6BEB28A4,?,?,6BEB2925,?,?,?), ref: 6BEB282F
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6BEB2842
                              • FreeLibrary.KERNEL32(00000000,?,?,6BEB28A4,?,?,6BEB2925,?,?,?), ref: 6BEB2865
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 13b0e83c21318842f273da0bac06aca9bd02a19eed32a04f47c8be0cdc54b15b
                              • Instruction ID: 7d26767dbba526c63da4ce437dc7261ed6bf89ffe3aafe2099470254eff28cbc
                              • Opcode Fuzzy Hash: 13b0e83c21318842f273da0bac06aca9bd02a19eed32a04f47c8be0cdc54b15b
                              • Instruction Fuzzy Hash: 7DF08C30510118FBDF119BA0DD09B9EBFB8EF4535AF2040B4E901B21A0CFB8CA01DB90
                              Function 6BEAAA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6BEAAA1E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6BEAAA29
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6BEAAA97
                                • Part of subcall function 6BEAA920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6BEAA938
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6BEAAA44
                              • _Yarn.LIBCPMT ref: 6BEAAA5A
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: 11cdac26b95006734e2151d58947d7c37f0f7d993413de3604fa755d9c4e5c7e
                              • Instruction ID: 61831a7e1551c7690e4952a43ac7906056e083963fdda41a56f9221dce3bf815
                              • Opcode Fuzzy Hash: 11cdac26b95006734e2151d58947d7c37f0f7d993413de3604fa755d9c4e5c7e
                              • Instruction Fuzzy Hash: 6901B879A502218FDB0ADF30C945A3D7BBAFF85284B25504CD8025B384DF38AA06CB81
                              Function 6BF29E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: 2f3bf66eeec645d7c7c59c5a0fb6f69f16f6b8a7695144a6c22fb0c1e5cf9046
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 81126D72E0524ADFCB04CFE4C591ADDBBF1BF09304F1484AEE445AB662DB39A951CB60
                              Function 6BEF5B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 022d20de3055cb3229dd33d322ca40c1df1d44745ccbdb356ef438a601e16f3f
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: B9B12E71D01209DFCB24CFA5C8809AEBBF5FF58318F60856ED51AA7350D739AA42CB50
                              Function 6BD72020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6BEAAA17: __EH_prolog3.LIBCMT ref: 6BEAAA1E
                                • Part of subcall function 6BEAAA17: std::_Lockit::_Lockit.LIBCPMT ref: 6BEAAA29
                                • Part of subcall function 6BEAAA17: std::locale::_Setgloballocale.LIBCPMT ref: 6BEAAA44
                                • Part of subcall function 6BEAAA17: _Yarn.LIBCPMT ref: 6BEAAA5A
                                • Part of subcall function 6BEAAA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6BEAAA97
                                • Part of subcall function 6BD72F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BD72F95
                                • Part of subcall function 6BD72F60: std::_Lockit::_Lockit.LIBCPMT ref: 6BD72FAF
                                • Part of subcall function 6BD72F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD72FD0
                                • Part of subcall function 6BD72F60: __Getctype.LIBCPMT ref: 6BD73084
                                • Part of subcall function 6BD72F60: std::_Facet_Register.LIBCPMT ref: 6BD7309C
                                • Part of subcall function 6BD72F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6BD730B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6BD7211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: 996590680ee66fec442f2e17d1086d88ab01cf1825814a09f1ec066a180b22c8
                              • Instruction ID: 5cbf370a9c86c7868a10d521c2b09ee3f4bee8c9ff2abc8d6f0f7069c579191f
                              • Opcode Fuzzy Hash: 996590680ee66fec442f2e17d1086d88ab01cf1825814a09f1ec066a180b22c8
                              • Instruction Fuzzy Hash: 5141B2B0E003499FDB10DF64D8457AABBB5FF49318F104268E919AF381E7799985CF90
                              Function 6BEF91D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: 1e94177076cfabbbc3cf0db495cde114de47a738655ede6730a7c15a76fb067c
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: C021B079E01205CBDB04DFE8D4811EEB7BABF94304F34856EC452A7292C7788A43CAA0
                              Function 6BF10584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction ID: 497bb1a3b3984717e7d3ea08e10a08f95d580c939e02b2a22cc08df23da52075
                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction Fuzzy Hash: 0C215B32E01119DACF04DBE8D991AEEB7B5EF98348F20046AD501B7250DBB95E05CBA1
                              Function 6BF07EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BF07ECC
                                • Part of subcall function 6BEF258A: __EH_prolog.LIBCMT ref: 6BEF258F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 5ebb1f5f197b0a4507f7ccaf28b05c6115c2e170364ca7fdf28f4357f4ed109f
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: E321C9B0801B40DFC760CF6AC14425ABBF4BF29708B10C95EC0AA97A11D7B8A609CF55
                              Function 6BEBE480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6BEBE7C0,6BD71DEA,00008000,6BEBE7C0,?,?,?,6BEBE36F,6BEBE7C0,?,00000000,6BD71DEA), ref: 6BEBE4B9
                              • GetLastError.KERNEL32(?,?,?,6BEBE36F,6BEBE7C0,?,00000000,6BD71DEA,?,6BEC7D8E,6BEBE7C0,000000FF,000000FF,00000002,00008000,6BEBE7C0), ref: 6BEBE4C3
                              • __dosmaperr.LIBCMT ref: 6BEBE4CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: 337ae2905612d4d3c6b82d54e48c66fc44a867bc574a9fa42b3ec8d09f825b7e
                              • Instruction ID: a6bca345441d0581c6a0144924d68e084d44fc4ec7f12ee7aae45196faa7e64f
                              • Opcode Fuzzy Hash: 337ae2905612d4d3c6b82d54e48c66fc44a867bc574a9fa42b3ec8d09f825b7e
                              • Instruction Fuzzy Hash: D1014032620514AFCF098F68CD05C5D372DDFC63347340688E411A7290FB75D9118790
                              Function 6BEFED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: ad17bd0a4472d0ff685b1f246cb319b483d75d059062265213167484fe876044
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: BD418330C54649ABCF24DBB0E4918EEB779AF11208B30C1ADD02567960EB7EF657CB51
                              Function 6BEF9331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: b3575fd291ba45ced5d51f5313a7e6c6ffd60a5685ae7612fc362f8a4681e9fc
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 1511D276204245BFEB245EA4DC41EAF7BBEEFC9704F10886DF281522A0C6B5EC12D720
                              Function 6BEB80A2 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,6BEB2654,6BED9DD0,0000000C), ref: 6BEB80A7
                              • _free.LIBCMT ref: 6BEB8104
                              • _free.LIBCMT ref: 6BEB813A
                              • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,6BEB2654,6BED9DD0,0000000C), ref: 6BEB8145
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-0
                              • Opcode ID: 502a2517b3459ec046dd00e352ccf521b6dbb4c6f5becc48e8d22a53ff463a8c
                              • Instruction ID: 9c1c7b4f7b53a0024e2c1c855182683b06b785ecee81da4f9ecc653f2499e70f
                              • Opcode Fuzzy Hash: 502a2517b3459ec046dd00e352ccf521b6dbb4c6f5becc48e8d22a53ff463a8c
                              • Instruction Fuzzy Hash: 1711A332645202AAEE151B789E85E1A3369AFC36BCB35063CF535A63E0EF7DCC154710
                              Function 6BEC95AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6BEC7DDC,00000000,00000000,?,6BEC8241,00000000,00000001,00000000,6BEBE7C0,?,6BEBF976,?,?,6BEBE7C0), ref: 6BEC95C1
                              • GetLastError.KERNEL32(?,6BEC8241,00000000,00000001,00000000,6BEBE7C0,?,6BEBF976,?,?,6BEBE7C0,?,6BEBE7C0,?,6BEBF40C,6BEC91A6), ref: 6BEC95CD
                                • Part of subcall function 6BEC961E: CloseHandle.KERNEL32(FFFFFFFE,6BEC95DD,?,6BEC8241,00000000,00000001,00000000,6BEBE7C0,?,6BEBF976,?,?,6BEBE7C0,?,6BEBE7C0), ref: 6BEC962E
                              • ___initconout.LIBCMT ref: 6BEC95DD
                                • Part of subcall function 6BEC95FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6BEC959B,6BEC822E,6BEBE7C0,?,6BEBF976,?,?,6BEBE7C0,?), ref: 6BEC9612
                              • WriteConsoleW.KERNEL32(00000000,?,6BEC7DDC,00000000,?,6BEC8241,00000000,00000001,00000000,6BEBE7C0,?,6BEBF976,?,?,6BEBE7C0,?), ref: 6BEC95F2
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: 9ac03d6564fc6e8dca711891621a9eab3322710fbedc173da80d2dcaf27e9abd
                              • Instruction ID: 637a9d25ab15b5b8a109b1ed084a28d9b88ed6087c55b7de1ed0c873e5fb064b
                              • Opcode Fuzzy Hash: 9ac03d6564fc6e8dca711891621a9eab3322710fbedc173da80d2dcaf27e9abd
                              • Instruction Fuzzy Hash: 6CF0303A401118BFCF131FA5DC48A8E3F36FF4A7B9B504050FA2995220DB72C860DB92
                              Function 6BEE1072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BEE1077
                                • Part of subcall function 6BEE0FF5: __EH_prolog.LIBCMT ref: 6BEE0FFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 07e285e2709724bad6341df6ecb511c7fb80496b6a940e7685002fab68c5904b
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 17E1CE309042199ACB11DFE8C891BEDB7B1BF15318F20815DD8566B291DBBCA59BCB22
                              Function 6BF2D354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction ID: 27386aa5147cde4ccc86ae150ff768635404bc0c43524c37a06dfe71141cab70
                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction Fuzzy Hash: BA81D477A402099FDF10CFE4C451B9EB7F5AF44348F2080A9D818AB265D779E905CBA1
                              Function 6BEB6814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: 900bad89ada7057e9944173abcd592d0ef1e6433575c3f8a4aa7adf2b41db988
                              • Instruction ID: e2f8f74041c11356cba54cb1cb582e9ad2b4122f7b0bb8fbcb051e1b1fb5c579
                              • Opcode Fuzzy Hash: 900bad89ada7057e9944173abcd592d0ef1e6433575c3f8a4aa7adf2b41db988
                              • Instruction Fuzzy Hash: 6471B371D042169FEF108FA4CA80AEEFBB5BF45318F348169E82467390DB7D9952CB61
                              Function 6BF06C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: b5e830d90b5f2ba4a67a3835f8c24ad65235c257876a72503824f4c95da513c9
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: DC913A71910709EFCB20DFA9C8949DEFBF4BF18304F50455EE459A72A0DB78AA84DB24
                              Function 6BEFBC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6BEFBC5D
                                • Part of subcall function 6BEFA61A: __EH_prolog.LIBCMT ref: 6BEFA61F
                                • Part of subcall function 6BEFAA2E: __EH_prolog.LIBCMT ref: 6BEFAA33
                                • Part of subcall function 6BEFBEA5: __EH_prolog.LIBCMT ref: 6BEFBEAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: 3c5233bba992d59acb7a0efcacb03bc97c0d5962c487a4202e560c3336d9f912
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 81817A35D00149DFCB15DFB8D991ADDBBB5AF18318F20409EE512672A0DF38AE06CB61
                              Function 6BD728E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6BD72A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: 376465410226ab1b741f9a101cc3bfe175dd06e6087a5b5541c92900f2fda3f2
                              • Instruction ID: e575d327e433aae8859bd8c4970ec631923fd5dfb1225ccc15f3f2db1f231688
                              • Opcode Fuzzy Hash: 376465410226ab1b741f9a101cc3bfe175dd06e6087a5b5541c92900f2fda3f2
                              • Instruction Fuzzy Hash: F951F5B1900244DBCB24DF68D8816DEBBB5EF89328F24847DD8599F341E339D985CB91
                              Function 6BF02F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 89c117bcbc4610d5ee4403679bf3b1f4747c9e510a6a3090f5d5dc5b46db2d24
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: D2518F72E04209EFCF11DFA8C890CEDB7B1BF48308F10856DE515AB260DB799946DB50
                              Function 6BEFE9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: 7651c5bf21acdaf6a88e719f0621a162d878b7dc4d8dc25dcb985a071bcc5cd5
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: 9B412B20A24DE0AED7368F78C4547A9BBADAF16388F3481DDC49307281DB6D7997C391
                              Function 6BEC05EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6BEC7DC6), ref: 6BEC070B
                              • __dosmaperr.LIBCMT ref: 6BEC0712
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: a6f3b0ba57f77d97021926762ba8a37ddbd52e16493b3b16f572e39e4a8abd19
                              • Instruction ID: 1d6d84c55742aaf328bef13aa2a56001233d210cf7ad83f3a39608056fabe58e
                              • Opcode Fuzzy Hash: a6f3b0ba57f77d97021926762ba8a37ddbd52e16493b3b16f572e39e4a8abd19
                              • Instruction Fuzzy Hash: 8D4190F0504254AFDB159F28CA8079A7FE5DF86314F344199E8A44B343E3799C228B92
                              Function 6BF1812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: dce58f4e7a4753edff0c4749b29c4455ff7296a4090d1f49fea29e1da9f1e065
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: 77315B33B8C945CBD701DB6CDF06BA97B71EB02724F20056AD400F26F0CBAD8982CA51
                              Function 6BF17C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 3bf29b89c0167add575c77cb7698523524001c9078cd0b549dde6a6850597493
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 80419172609785EFCB118F70C8907BEBBE2FF45204F10486EE45A9B260CB796905DB92
                              Function 6BF1ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 8771a2cd1335032f81656a518dd5e3fa31f58b555022df59e245bf7598a469a9
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: 132105B2904704AED330DFB99881B5BFAF9EB88714F108D6FA086D3610C774E8048B61
                              Function 6BF13906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: faba97ec2c55c852ca95d712609311f46f28307d6fce2cbc6ee2bccd9608386a
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 2101C4B2E05349EACB20DFA9C4805AEF7B4FF55704F80C86EE029E3251C3389904CB95
                              Function 6BEEF0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: 35c0eecd3fad44341f7c28a8d8521b5653a7df991c3ae25262acb7bb986823ff
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: F1115A71A00209DBDB00CFA9D49059EB7B4FF18308FA0C46EE429E7211D3389A02CBA5
                              Function 6BEC1418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6BEC1439
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6BEBDD2A,?,00000004,?,4B42FCB6,?,?,6BEB2E7C,4B42FCB6,?), ref: 6BEC1475
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1942596209.000000006BD21000.00000020.00000001.01000000.00000009.sdmp, Offset: 6BD20000, based on PE: true
                              • Associated: 00000006.00000002.1942568775.000000006BD20000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943797380.000000006BECB000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1945447422.000000006C097000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: 34bc1258a48172456eef455004e194776c8f519bd28015ec9a4274d6e4deee88
                              • Instruction ID: d447b17f3588412d7c2151ed1833a04da82461ae519eeaf17b4e9613d2f89e6f
                              • Opcode Fuzzy Hash: 34bc1258a48172456eef455004e194776c8f519bd28015ec9a4274d6e4deee88
                              • Instruction Fuzzy Hash: 4AF09632600235AADB115BB59E01B5F376ABFC3FB9B31815DE8349A290DB3CD41281A3
                              Function 6BF0D143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: d84c4cf5149bb94b806bc48feac4017c3958cafa683a34985035dee2760b98ef
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: 8EE0A933A44621EBEB149F48D821B9ABBA8EF40B10F11005EA421A3272CFB9A800D7C0
                              Function 6BF16431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: 38382c6cdb507d0cb5589392be00ff93f36b7835a80fd3aa920ecf0b337cdc61
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: 8EE06D33A09521BBEB149F98D802B9EF3A8FF64B15F10445FA412A7665CBB9A8008691
                              Function 6BF424AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction ID: 8ce130c6bda980ddcca82037b6c25d4926256820bbdea3c7090e6dc4a65f6e1a
                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction Fuzzy Hash: 3091E4366143069BCB04DF74C4907EE7BA2AF41348F10487DD866DB2A2DB7FA94ACB51
                              Function 6BF37E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.1943868736.000000006BEDB000.00000008.00000001.01000000.00000009.sdmp, Offset: 6BEDB000, based on PE: true
                              • Associated: 00000006.00000002.1944658149.000000006BFA6000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000006.00000002.1944690975.000000006BFAC000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_6bd20000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction ID: e3b98e6eec8996dbab5a94606c14ed200a52f0d658cb8e96cd65eb346ff18864
                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction Fuzzy Hash: 25518172A08219EBCF00DFB8D841EDEB771BF15358F204459E815672A0DBBEA945CBE1

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0.4%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:56
                              execution_graph 73233 830343 73238 83035f 73233->73238 73236 830358 73239 830369 __EH_prolog 73238->73239 73255 80139e 73239->73255 73247 8303a2 73272 7f1e40 free 73247->73272 73249 8303aa 73273 8303d8 73249->73273 73254 7f1e40 free 73254->73236 73256 8013ae 73255->73256 73258 8013b3 73255->73258 73289 887ea0 SetEvent GetLastError 73256->73289 73259 8301c4 73258->73259 73261 8301ce __EH_prolog 73259->73261 73260 830203 73290 7f1e40 free 73260->73290 73261->73260 73291 7f1e40 free 73261->73291 73263 83020b 73265 830143 73263->73265 73269 83014d __EH_prolog 73265->73269 73266 830182 73292 7f1e40 free 73266->73292 73268 83018a 73271 7f1e40 free 73268->73271 73269->73266 73293 7f1e40 free 73269->73293 73271->73247 73272->73249 73274 8303e2 __EH_prolog 73273->73274 73275 80139e ctype 2 API calls 73274->73275 73276 8303fb 73275->73276 73294 887d50 73276->73294 73278 830403 73279 887d50 ctype 2 API calls 73278->73279 73280 83040b 73279->73280 73281 887d50 ctype 2 API calls 73280->73281 73282 8303b7 73281->73282 73283 83004a 73282->73283 73284 830054 __EH_prolog 73283->73284 73300 7f1e40 free 73284->73300 73286 830067 73301 7f1e40 free 73286->73301 73288 83006f 73288->73236 73288->73254 73289->73258 73290->73263 73291->73261 73292->73268 73293->73269 73295 887d59 CloseHandle 73294->73295 73298 887d7b 73294->73298 73296 887d64 GetLastError 73295->73296 73297 887d75 73295->73297 73296->73298 73299 887d6e 73296->73299 73297->73298 73298->73278 73299->73278 73300->73286 73301->73288 73302 876bc6 73303 876bcd 73302->73303 73304 876bca 73302->73304 73303->73304 73305 876bd1 malloc 73303->73305 73305->73304 73306 7fc3bd 73307 7fc3db 73306->73307 73308 7fc3ca 73306->73308 73308->73307 73310 7f1e40 free 73308->73310 73310->73307 73311 81d3c2 73312 81d3e9 73311->73312 73408 7f965d 73312->73408 73315 81d883 2 API calls 73316 81d4b1 73315->73316 73412 818d4a 73316->73412 73323 7f2fec 3 API calls 73324 81d594 73323->73324 73325 81d742 73324->73325 73326 81d5cd 73324->73326 73470 81cd49 malloc _CxxThrowException free 73325->73470 73327 81d7d9 73326->73327 73437 819317 73326->73437 73473 7f1e40 free 73327->73473 73329 81d754 73332 7f2fec 3 API calls 73329->73332 73335 81d763 73332->73335 73333 81d7e1 73474 7f1e40 free 73333->73474 73471 7f1e40 free 73335->73471 73337 81d5f1 73443 8304d2 73337->73443 73339 81d7e9 73342 81326b free 73339->73342 73341 81d76b 73472 7f1e40 free 73341->73472 73354 81d69a 73342->73354 73346 81d773 73348 81326b free 73346->73348 73348->73354 73350 81d610 73456 7f1e40 free 73350->73456 73352 81d618 73457 81326b 73352->73457 73355 81d2a8 73355->73354 73377 81d883 73355->73377 73378 81d88d __EH_prolog 73377->73378 73475 7f2e04 73378->73475 73381 7f2e04 2 API calls 73382 81d8d2 73381->73382 73383 7f2e04 2 API calls 73382->73383 73384 81d8de 73383->73384 73478 812b63 73384->73478 73409 7f9685 73408->73409 73411 7f9665 73408->73411 73409->73315 73410 7f967e VariantClear 73410->73409 73411->73409 73411->73410 73417 818d54 __EH_prolog 73412->73417 73413 818e15 73416 818e2d 73413->73416 73419 818e21 73413->73419 73420 818e5e 73413->73420 73414 818e09 73415 7f965d VariantClear 73414->73415 73418 818e11 73415->73418 73416->73420 73421 818e2b 73416->73421 73427 818da4 73417->73427 73492 7f2b55 malloc _CxxThrowException free _CxxThrowException ctype 73417->73492 73429 818b05 73418->73429 73493 7f3097 malloc _CxxThrowException free SysStringLen ctype 73419->73493 73422 7f965d VariantClear 73420->73422 73425 7f965d VariantClear 73421->73425 73422->73418 73426 818e47 73425->73426 73426->73418 73494 818e7c 6 API calls __EH_prolog 73426->73494 73427->73413 73427->73414 73427->73418 73431 818b2e 73429->73431 73430 7f965d VariantClear 73432 818b5b 73430->73432 73431->73430 73433 812a72 73432->73433 73434 812a82 73433->73434 73435 7f2e04 2 API calls 73434->73435 73436 812a9f 73435->73436 73436->73323 73441 819321 __EH_prolog 73437->73441 73438 819360 73439 7f965d VariantClear 73438->73439 73440 8193d0 73439->73440 73440->73327 73440->73337 73441->73438 73495 7f9686 VariantClear 73441->73495 73444 81d5f9 73443->73444 73445 8304df 73443->73445 73449 81e332 73444->73449 73446 8304e8 _CxxThrowException 73445->73446 73447 8304fd 73445->73447 73446->73447 73496 830551 malloc _CxxThrowException free memcpy ctype 73447->73496 73450 81e33c __EH_prolog 73449->73450 73451 7f1e0c ctype 2 API calls 73450->73451 73452 81e34a 73451->73452 73453 81d608 73452->73453 73497 81e3d1 malloc _CxxThrowException __EH_prolog 73452->73497 73455 7f1e40 free 73453->73455 73455->73350 73456->73352 73458 813275 __EH_prolog 73457->73458 73498 812c0b 73458->73498 73461 812c0b ctype free 73462 813296 73461->73462 73503 7f1e40 free 73462->73503 73464 81329e 73504 7f1e40 free 73464->73504 73466 8132a6 73505 7f1e40 free 73466->73505 73468 8132ae 73468->73355 73470->73329 73471->73341 73472->73346 73473->73333 73474->73339 73484 7f1e0c 73475->73484 73479 812b6d __EH_prolog 73478->73479 73480 7f2e04 2 API calls 73479->73480 73481 812b9a 73480->73481 73485 7f1e1c malloc 73484->73485 73486 7f1e15 73484->73486 73487 7f1e3e 73485->73487 73488 7f1e2a _CxxThrowException 73485->73488 73486->73485 73487->73381 73488->73487 73492->73427 73493->73421 73494->73418 73495->73438 73496->73444 73497->73453 73506 7f1e40 free 73498->73506 73500 812c16 73507 7f1e40 free 73500->73507 73502 812c1e 73502->73461 73503->73464 73504->73466 73505->73468 73506->73500 73507->73502 73508 81a7c5 73532 81a7e9 73508->73532 73560 81a96b 73508->73560 73509 81ade3 73613 7f1e40 free 73509->73613 73511 81a952 73511->73560 73594 81e0b0 6 API calls 73511->73594 73512 81adeb 73614 7f1e40 free 73512->73614 73516 81ac1e 73600 7f1e40 free 73516->73600 73517 81ae99 73518 7f1e0c ctype 2 API calls 73517->73518 73521 81aea9 memset memset 73518->73521 73524 81aedd 73521->73524 73522 81ac26 73601 7f1e40 free 73522->73601 73523 81adf3 73523->73517 73527 8304d2 malloc _CxxThrowException free _CxxThrowException memcpy 73523->73527 73615 7f1e40 free 73524->73615 73527->73523 73529 81aee5 73616 7f1e40 free 73529->73616 73532->73511 73533 8304d2 5 API calls 73532->73533 73593 81e0b0 6 API calls 73532->73593 73533->73532 73534 81aef0 73617 7f1e40 free 73534->73617 73537 81c430 73619 7f1e40 free 73537->73619 73540 81ac6c 73602 7f1e40 free 73540->73602 73541 81c438 73620 7f1e40 free 73541->73620 73545 81c443 73621 7f1e40 free 73545->73621 73546 81ac85 73603 7f1e40 free 73546->73603 73548 81c44e 73622 7f1e40 free 73548->73622 73551 81ac2e 73618 7f1e40 free 73551->73618 73552 81c459 73554 81ad88 73610 818125 free ctype 73554->73610 73558 81ad17 73607 818125 free ctype 73558->73607 73559 81ad93 73611 7f1e40 free 73559->73611 73560->73509 73560->73516 73560->73540 73560->73554 73560->73558 73561 81acbc 73560->73561 73575 80101c 73560->73575 73578 8198f2 73560->73578 73584 81cc6f 73560->73584 73595 819531 5 API calls __EH_prolog 73560->73595 73596 8180c1 malloc _CxxThrowException __EH_prolog 73560->73596 73597 81c820 5 API calls 2 library calls 73560->73597 73598 81814d 6 API calls 73560->73598 73599 818125 free ctype 73560->73599 73604 818125 free ctype 73561->73604 73565 81acc7 73605 7f1e40 free 73565->73605 73566 81ad3c 73608 7f1e40 free 73566->73608 73567 81adac 73612 7f1e40 free 73567->73612 73571 81ace0 73606 7f1e40 free 73571->73606 73572 81ad55 73609 7f1e40 free 73572->73609 73623 7fb95a 73575->73623 73579 8198fc __EH_prolog 73578->73579 73639 819987 73579->73639 73581 819970 73581->73560 73583 819911 73583->73581 73643 81ef8d 12 API calls 2 library calls 73583->73643 73683 83f445 73584->73683 73689 835505 73584->73689 73693 83cf91 73584->73693 73585 81cc8b 73586 81cccb 73585->73586 73701 81979e VariantClear __EH_prolog 73585->73701 73586->73560 73588 81ccb1 73588->73586 73702 81cae9 VariantClear 73588->73702 73593->73532 73594->73560 73595->73560 73596->73560 73597->73560 73598->73560 73599->73560 73600->73522 73601->73551 73602->73546 73603->73551 73604->73565 73605->73571 73606->73551 73607->73566 73608->73572 73609->73551 73610->73559 73611->73567 73612->73551 73613->73512 73614->73523 73615->73529 73616->73534 73617->73551 73618->73537 73619->73541 73620->73545 73621->73548 73622->73552 73624 7fb969 73623->73624 73627 7fb97d 73623->73627 73624->73627 73629 7f7731 73624->73629 73626 7fb9ee 73626->73627 73637 7fb8ec GetLastError 73626->73637 73627->73560 73630 7f775c SetFilePointer 73629->73630 73631 7f7740 73629->73631 73632 7f7780 GetLastError 73630->73632 73636 7f77a1 73630->73636 73631->73630 73633 7f778c 73632->73633 73632->73636 73638 7f76d6 SetFilePointer GetLastError 73633->73638 73635 7f7796 SetLastError 73635->73636 73636->73626 73637->73627 73638->73635 73640 819991 __EH_prolog 73639->73640 73644 8480aa 73640->73644 73641 8199a8 73641->73583 73643->73581 73645 8480b4 __EH_prolog 73644->73645 73646 7f1e0c ctype 2 API calls 73645->73646 73647 8480bf 73646->73647 73648 8480d3 73647->73648 73650 83bdb5 73647->73650 73648->73641 73651 83bdbf __EH_prolog 73650->73651 73656 83be69 73651->73656 73653 83bdef 73654 7f2e04 2 API calls 73653->73654 73655 83be16 73654->73655 73655->73648 73657 83be73 __EH_prolog 73656->73657 73660 835e2b 73657->73660 73659 83be7f 73659->73653 73661 835e35 __EH_prolog 73660->73661 73666 8308b6 73661->73666 73663 835e41 73671 80dfc9 malloc _CxxThrowException __EH_prolog 73663->73671 73665 835e57 73665->73659 73672 7f9c60 73666->73672 73668 8308c4 73677 7f9c8f GetModuleHandleA GetProcAddress 73668->73677 73670 8308f3 __aulldiv 73670->73663 73671->73665 73682 7f9c4d GetCurrentProcess GetProcessAffinityMask 73672->73682 73674 7f9c6e 73675 7f9c80 GetSystemInfo 73674->73675 73676 7f9c79 73674->73676 73675->73668 73676->73668 73678 7f9cef GlobalMemoryStatus 73677->73678 73679 7f9cc4 GlobalMemoryStatusEx 73677->73679 73680 7f9d08 73678->73680 73679->73678 73681 7f9cce 73679->73681 73680->73681 73681->73670 73682->73674 73684 83f455 73683->73684 73703 801092 73684->73703 73688 83f478 73688->73585 73690 83550f __EH_prolog 73689->73690 73755 834e8a 73690->73755 73694 83cf9b __EH_prolog 73693->73694 73695 83f445 14 API calls 73694->73695 73696 83d018 73695->73696 73698 83d01f 73696->73698 74001 841511 73696->74001 73698->73585 73699 83d08b 73699->73698 74007 842c5d 11 API calls 2 library calls 73699->74007 73701->73588 73702->73586 73705 7fb95a 6 API calls 73703->73705 73704 8010aa 73704->73688 73706 83f1b2 73704->73706 73705->73704 73707 83f1bc __EH_prolog 73706->73707 73716 801168 73707->73716 73709 83f1d3 73710 83f231 memcpy 73709->73710 73711 83f21c _CxxThrowException 73709->73711 73712 83f1e6 73709->73712 73714 83f24c 73710->73714 73711->73710 73712->73688 73713 83f2f0 memmove 73713->73714 73714->73712 73714->73713 73715 83f31a memcpy 73714->73715 73715->73712 73719 80111c 73716->73719 73721 801130 73719->73721 73720 80115f 73720->73709 73721->73720 73724 7fd331 73721->73724 73728 7fb668 73721->73728 73725 7fd355 73724->73725 73726 7fd374 73725->73726 73727 7fb668 10 API calls 73725->73727 73726->73721 73727->73726 73729 7fb675 73728->73729 73733 7fb6aa 73729->73733 73734 7fb81b 73729->73734 73735 7f7731 5 API calls 73729->73735 73736 7fb7e7 73729->73736 73738 7fb811 73729->73738 73740 7fb7ad 73729->73740 73745 7fb864 73729->73745 73752 7f7b4f ReadFile 73729->73752 73732 7fb8aa GetLastError 73732->73733 73733->73721 73734->73733 73737 7fb839 memcpy 73734->73737 73735->73729 73739 7f7731 5 API calls 73736->73739 73736->73745 73737->73733 73753 7fb8ec GetLastError 73738->73753 73742 7fb80d 73739->73742 73740->73729 73746 7fb8c7 73740->73746 73751 876a20 VirtualAlloc 73740->73751 73742->73738 73742->73745 73747 7f7b7c 73745->73747 73746->73733 73748 7f7b89 73747->73748 73754 7f7b4f ReadFile 73748->73754 73750 7f7b9a 73750->73732 73750->73733 73751->73740 73752->73729 73753->73733 73754->73750 73756 834e94 __EH_prolog 73755->73756 73757 7f2e04 2 API calls 73756->73757 73773 834f1d 73756->73773 73758 834ed7 73757->73758 73887 807fc5 73758->73887 73760 834f37 73763 834f63 73760->73763 73764 834f41 73760->73764 73761 834f0a 73762 7f965d VariantClear 73761->73762 73767 834f15 73762->73767 73910 7f2f88 73763->73910 73765 7f965d VariantClear 73764->73765 73768 834f4c 73765->73768 73908 7f1e40 free 73767->73908 73909 7f1e40 free 73768->73909 73772 7f965d VariantClear 73774 834f80 73772->73774 73773->73585 73916 805bcf malloc _CxxThrowException 73774->73916 73776 834f9a 73917 7f2e47 73776->73917 73780 834fbd 73781 7f2e04 2 API calls 73780->73781 73782 834fd1 73781->73782 73783 7f2e04 2 API calls 73782->73783 73791 834fdd 73783->73791 73784 835404 73971 7f1e40 free 73784->73971 73786 83540c 73972 7f1e40 free 73786->73972 73788 835414 73973 7f1e40 free 73788->73973 73791->73784 73924 805bcf malloc _CxxThrowException 73791->73924 73792 835099 73925 7f2da9 73792->73925 73793 83541c 73974 7f1e40 free 73793->73974 73796 835424 73975 7f1e40 free 73796->73975 73798 7f2fec 3 API calls 73800 8350b6 73798->73800 73928 7f1e40 free 73800->73928 73801 83542c 73976 7f1e40 free 73801->73976 73804 8350be 73929 7f1e40 free 73804->73929 73806 8350cd 73807 7f2f88 3 API calls 73806->73807 73808 8350e3 73807->73808 73809 8350f1 73808->73809 73810 835100 73808->73810 73930 7f30ea 73809->73930 73936 7f3044 malloc _CxxThrowException free ctype 73810->73936 73813 8350fe 73937 801029 6 API calls 73813->73937 73815 83511a 73816 835120 73815->73816 73817 83516b 73815->73817 73938 7f1e40 free 73816->73938 73944 80089e malloc _CxxThrowException free _CxxThrowException memcpy 73817->73944 73820 835128 73939 7f1e40 free 73820->73939 73821 835187 73824 8304d2 5 API calls 73821->73824 73823 835130 73940 7f1e40 free 73823->73940 73826 8351ba 73824->73826 73945 830516 malloc _CxxThrowException ctype 73826->73945 73827 835138 73941 7f1e40 free 73827->73941 73830 8351c5 73835 8351f5 73830->73835 73836 83522d 73830->73836 73831 835140 73942 7f1e40 free 73831->73942 73946 7f1e40 free 73835->73946 73838 7f2e04 2 API calls 73836->73838 73885 835235 73838->73885 73839 8351fd 73888 807fcf __EH_prolog 73887->73888 73889 808061 73888->73889 73891 80805c 73888->73891 73892 808019 73888->73892 73895 807ff4 73888->73895 73889->73891 73904 808025 73889->73904 73985 7f9630 VariantClear 73891->73985 73892->73895 73896 80801e 73892->73896 73894 8080b8 73897 7f965d VariantClear 73894->73897 73907 80800a 73895->73907 73977 7f950d 73895->73977 73898 808042 73896->73898 73899 808022 73896->73899 73901 8080c0 73897->73901 73983 7f9597 VariantClear 73898->73983 73902 808032 73899->73902 73899->73904 73901->73760 73901->73761 73982 7f9604 VariantClear 73902->73982 73904->73907 73984 7f95df VariantClear 73904->73984 73986 7f9736 VariantClear 73907->73986 73908->73773 73909->73773 73911 7f2f9a 73910->73911 73912 7f2fbe 73911->73912 73913 7f1e0c ctype 2 API calls 73911->73913 73912->73772 73914 7f2fb4 73913->73914 73993 7f1e40 free 73914->73993 73916->73776 73918 7f2e57 73917->73918 73994 7f2ba6 73918->73994 73921 7f2f1c 73922 7f2ba6 2 API calls 73921->73922 73923 7f2f2c 73922->73923 73923->73780 73924->73792 73997 7f2d4d 73925->73997 73928->73804 73929->73806 73931 7f30fd 73930->73931 73931->73931 73932 7f1e0c ctype 2 API calls 73931->73932 73935 7f311d 73931->73935 73933 7f3113 73932->73933 74000 7f1e40 free 73933->74000 73935->73813 73936->73813 73937->73815 73938->73820 73939->73823 73940->73827 73941->73831 73944->73821 73945->73830 73946->73839 73971->73786 73972->73788 73973->73793 73974->73796 73975->73801 73976->73773 73987 7f9767 73977->73987 73979 7f9518 SysAllocStringLen 73980 7f954f 73979->73980 73981 7f9539 _CxxThrowException 73979->73981 73980->73907 73981->73980 73982->73907 73983->73907 73984->73907 73985->73907 73986->73894 73988 7f9779 73987->73988 73989 7f9770 73987->73989 73992 7f9686 VariantClear 73988->73992 73989->73979 73991 7f9780 73991->73979 73992->73991 73993->73912 73995 7f1e0c ctype 2 API calls 73994->73995 73996 7f2bbb 73995->73996 73996->73921 73998 7f2ba6 2 API calls 73997->73998 73999 7f2d68 73998->73999 73999->73798 74000->73935 74002 84151b __EH_prolog 74001->74002 74008 8410d3 74002->74008 74005 841552 _CxxThrowException 74005->73699 74006 841589 74005->74006 74006->73699 74007->73698 74009 8410dd __EH_prolog 74008->74009 74040 83d1b7 74009->74040 74012 8412ef 74012->74005 74012->74006 74013 8411f4 74013->74012 74039 7fb95a 6 API calls 74013->74039 74014 84139e 74014->74012 74015 8413c4 74014->74015 74016 7f1e0c ctype 2 API calls 74014->74016 74017 801168 10 API calls 74015->74017 74016->74015 74020 8413da 74017->74020 74018 801168 10 API calls 74018->74013 74019 8413de 74088 7f1e40 free 74019->74088 74020->74019 74023 8413f9 74020->74023 74082 83ef67 _CxxThrowException 74020->74082 74047 83f047 74023->74047 74026 8414ba 74086 840943 50 API calls 2 library calls 74026->74086 74028 841450 74051 8406ae 74028->74051 74031 8414e7 74087 822db9 free ctype 74031->74087 74039->74014 74089 83d23c 74040->74089 74042 83d1ed 74096 7f1e40 free 74042->74096 74044 83d209 74097 7f1e40 free 74044->74097 74046 83d21c 74046->74012 74046->74013 74046->74018 74048 83f063 74047->74048 74049 83f072 74048->74049 74125 83ef67 _CxxThrowException 74048->74125 74049->74026 74049->74028 74083 83ef67 _CxxThrowException 74049->74083 74052 8406b8 __EH_prolog 74051->74052 74126 8403f4 74052->74126 74054 840877 74253 83b8dc 74054->74253 74059 8408e3 _CxxThrowException 74061 8408f7 74059->74061 74065 83b8dc ctype free 74061->74065 74068 840914 74065->74068 74066 7f1e0c ctype 2 API calls 74081 840715 74066->74081 74263 7f1e40 free 74068->74263 74071 84091c 74264 7f1e40 free 74071->74264 74080 83ef67 _CxxThrowException 74080->74081 74081->74054 74081->74059 74081->74061 74081->74066 74081->74080 74156 8012a5 74081->74156 74161 7f429a 74081->74161 74167 8381ec 74081->74167 74082->74023 74083->74028 74086->74031 74087->74019 74088->74012 74098 83d2b8 74089->74098 74092 83d25e 74115 7f1e40 free 74092->74115 74095 83d275 74095->74042 74096->74044 74097->74046 74117 7f1e40 free 74098->74117 74100 83d2c8 74118 7f1e40 free 74100->74118 74102 83d2dc 74119 7f1e40 free 74102->74119 74104 83d2e7 74120 7f1e40 free 74104->74120 74106 83d2f2 74121 7f1e40 free 74106->74121 74108 83d2fd 74122 7f1e40 free 74108->74122 74110 83d308 74123 7f1e40 free 74110->74123 74112 83d313 74114 83d246 74112->74114 74124 7f1e40 free 74112->74124 74114->74092 74116 7f1e40 free 74114->74116 74115->74095 74116->74092 74117->74100 74118->74102 74119->74104 74120->74106 74121->74108 74122->74110 74123->74112 74124->74114 74125->74049 74127 83f047 _CxxThrowException 74126->74127 74128 840407 74127->74128 74129 840475 74128->74129 74132 83f047 _CxxThrowException 74128->74132 74130 84049a 74129->74130 74270 83fa3f 22 API calls 2 library calls 74129->74270 74131 8404b8 74130->74131 74271 84159a malloc _CxxThrowException free ctype 74130->74271 74134 8404e8 74131->74134 74139 8404cd 74131->74139 74135 840421 74132->74135 74273 847c4a malloc _CxxThrowException free ctype 74134->74273 74140 84043e 74135->74140 74267 83ef67 _CxxThrowException 74135->74267 74136 840492 74141 83f047 _CxxThrowException 74136->74141 74272 83fff0 9 API calls 2 library calls 74139->74272 74268 83f93c 7 API calls 2 library calls 74140->74268 74141->74130 74145 8404e3 74152 84054a 74145->74152 74275 83ef67 _CxxThrowException 74145->74275 74146 840446 74148 84046d 74146->74148 74269 83ef67 _CxxThrowException 74146->74269 74147 8404db 74149 83f047 _CxxThrowException 74147->74149 74151 83f047 _CxxThrowException 74148->74151 74149->74145 74150 8404f3 74150->74145 74274 80089e malloc _CxxThrowException free _CxxThrowException memcpy 74150->74274 74151->74129 74152->74081 74157 8304d2 5 API calls 74156->74157 74158 8012ad 74157->74158 74159 7f1e0c ctype 2 API calls 74158->74159 74160 8012b4 74159->74160 74160->74081 74162 7f42c5 74161->74162 74163 7f42a7 74161->74163 74162->74081 74164 7f42b3 74163->74164 74276 7f1e40 free 74163->74276 74164->74162 74166 7f1e0c ctype 2 API calls 74164->74166 74166->74162 74168 8381f6 __EH_prolog 74167->74168 74277 83f749 74168->74277 74171 83823b 74254 83b8e6 __EH_prolog 74253->74254 74354 7f1e40 free 74254->74354 74256 83b90d 74355 82e647 free ctype 74256->74355 74263->74071 74267->74140 74268->74146 74269->74148 74270->74136 74271->74131 74272->74147 74273->74150 74274->74150 74275->74152 74276->74164 74278 83f779 74277->74278 74279 83f782 _CxxThrowException 74278->74279 74280 83f797 74278->74280 74279->74280 74280->74171 74354->74256 74356 81d948 74386 81dac7 74356->74386 74358 81d94f 74359 7f2e04 2 API calls 74358->74359 74360 81d97b 74359->74360 74361 7f2e04 2 API calls 74360->74361 74362 81d987 74361->74362 74363 81d9e7 74362->74363 74394 7f6404 74362->74394 74367 81da0f 74363->74367 74384 81da36 74363->74384 74419 7f1e40 free 74367->74419 74370 81d9bf 74417 7f1e40 free 74370->74417 74371 81da94 74423 7f1e40 free 74371->74423 74372 81da17 74420 7f1e40 free 74372->74420 74376 81d9c7 74418 7f1e40 free 74376->74418 74377 81da9c 74424 7f1e40 free 74377->74424 74378 7f2da9 2 API calls 74378->74384 74381 8304d2 5 API calls 74381->74384 74382 81d9cf 74384->74371 74384->74378 74384->74381 74421 7f1524 malloc _CxxThrowException __EH_prolog ctype 74384->74421 74422 7f1e40 free 74384->74422 74387 81dad1 __EH_prolog 74386->74387 74388 7f2e04 2 API calls 74387->74388 74389 81db33 74388->74389 74390 7f2e04 2 API calls 74389->74390 74391 81db3f 74390->74391 74392 7f2e04 2 API calls 74391->74392 74393 81db55 74392->74393 74393->74358 74425 7f631f 74394->74425 74397 7f6423 74399 7f2f88 3 API calls 74397->74399 74398 7f2f88 3 API calls 74398->74397 74400 7f643d 74399->74400 74401 807e5a 74400->74401 74402 807e64 __EH_prolog 74401->74402 74481 808179 74402->74481 74407 7f2fec 3 API calls 74408 807e9a 74407->74408 74409 7f2da9 2 API calls 74408->74409 74410 807ea7 74409->74410 74490 7f6c72 74410->74490 74414 807ecb 74416 807ed8 74414->74416 74592 7f757d GetLastError 74414->74592 74416->74363 74416->74370 74417->74376 74418->74382 74419->74372 74420->74382 74421->74384 74422->74384 74423->74377 74424->74382 74426 7f9245 74425->74426 74429 7f90da 74426->74429 74430 7f90e4 __EH_prolog 74429->74430 74431 7f2f88 3 API calls 74430->74431 74433 7f90f7 74431->74433 74432 7f915d 74434 7f2e04 2 API calls 74432->74434 74433->74432 74438 7f9109 74433->74438 74435 7f9165 74434->74435 74436 7f91be 74435->74436 74440 7f9174 74435->74440 74475 7f6332 6 API calls 2 library calls 74436->74475 74439 7f6414 74438->74439 74442 7f2e47 2 API calls 74438->74442 74439->74397 74439->74398 74443 7f2f88 3 API calls 74440->74443 74441 7f917d 74468 7f91ca 74441->74468 74473 7f859e malloc _CxxThrowException free _CxxThrowException 74441->74473 74444 7f9122 74442->74444 74443->74441 74470 7f8f57 memmove 74444->74470 74447 7f912e 74450 7f914d 74447->74450 74471 7f31e5 malloc _CxxThrowException free _CxxThrowException 74447->74471 74449 7f9185 74453 7f2e04 2 API calls 74449->74453 74472 7f1e40 free 74450->74472 74454 7f9197 74453->74454 74455 7f919f 74454->74455 74456 7f91ce 74454->74456 74457 7f91b9 74455->74457 74474 7f1089 malloc _CxxThrowException free _CxxThrowException 74455->74474 74458 7f2f88 3 API calls 74456->74458 74476 7f3199 malloc _CxxThrowException free _CxxThrowException 74457->74476 74458->74457 74461 7f91e6 74477 7f8f57 memmove 74461->74477 74463 7f91f2 74479 7f1e40 free 74463->74479 74464 7f91ee 74464->74463 74465 7f2fec 3 API calls 74464->74465 74467 7f9212 74465->74467 74478 7f31e5 malloc _CxxThrowException free _CxxThrowException 74467->74478 74480 7f1e40 free 74468->74480 74470->74447 74471->74450 74472->74439 74473->74449 74474->74457 74475->74441 74476->74461 74477->74464 74478->74463 74479->74468 74480->74439 74484 808906 74481->74484 74483 807e77 74486 817ebb 74483->74486 74484->74483 74593 808804 free ctype 74484->74593 74594 7f1e40 free 74484->74594 74488 807e7f 74486->74488 74489 817ec6 74486->74489 74487 7f1e40 free ctype 74487->74489 74488->74407 74489->74487 74489->74488 74492 7f6c7c __EH_prolog 74490->74492 74491 7f6cd3 74494 7f6ce2 74491->74494 74497 7f6d87 74491->74497 74492->74491 74493 7f6cb7 74492->74493 74495 7f2f88 3 API calls 74493->74495 74496 7f2f88 3 API calls 74494->74496 74498 7f6cc7 74495->74498 74502 7f6cf5 74496->74502 74499 7f2e47 2 API calls 74497->74499 74506 7f6f4a 74497->74506 74591 7f1e40 free 74498->74591 74500 7f6db0 74499->74500 74503 7f2e47 2 API calls 74500->74503 74501 7f6d4a 74612 7f7b41 28 API calls 74501->74612 74502->74501 74504 7f6d0b 74502->74504 74512 7f6dc0 74503->74512 74611 7f9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 74504->74611 74507 7f6fd1 74506->74507 74510 7f6f7e 74506->74510 74514 7f70e5 74507->74514 74515 7f6fed 74507->74515 74533 7f701d 74507->74533 74509 7f6d5f 74613 7f764c 74509->74613 74630 7f6bf5 11 API calls 2 library calls 74510->74630 74511 7f6d36 74511->74501 74517 7f6d3a 74511->74517 74524 7f6dfe 74512->74524 74616 7f3221 malloc _CxxThrowException free _CxxThrowException 74512->74616 74595 7f6868 74514->74595 74632 7f6bf5 11 API calls 2 library calls 74515->74632 74517->74498 74521 7f6f85 74521->74514 74523 7f6f99 74521->74523 74522 7f6fca 74529 7f6848 FindClose 74522->74529 74532 7f2f88 3 API calls 74523->74532 74525 7f6e43 74524->74525 74537 7f6e1e 74524->74537 74528 7f6c72 42 API calls 74525->74528 74526 7f7006 74526->74522 74531 7f6e4e 74528->74531 74529->74498 74534 7f6f3a 74531->74534 74535 7f6e41 74531->74535 74536 7f6fb0 74532->74536 74533->74514 74633 7f717b 13 API calls 74533->74633 74628 7f1e40 free 74534->74628 74543 7f2f1c 2 API calls 74535->74543 74631 7f717b 13 API calls 74536->74631 74537->74535 74540 7f2fec 3 API calls 74537->74540 74540->74535 74542 7f7052 74545 7f7056 74542->74545 74546 7f7064 74542->74546 74547 7f6e77 74543->74547 74544 7f6f42 74629 7f1e40 free 74544->74629 74549 7f2f88 3 API calls 74545->74549 74551 7f2e47 2 API calls 74546->74551 74550 7f2e04 2 API calls 74547->74550 74587 7f705f 74549->74587 74582 7f6e83 74550->74582 74552 7f706d 74551->74552 74634 7f1089 malloc _CxxThrowException free _CxxThrowException 74552->74634 74555 7f6848 FindClose 74555->74498 74556 7f707b 74635 7f1089 malloc _CxxThrowException free _CxxThrowException 74556->74635 74558 7f7085 74563 7f6868 12 API calls 74558->74563 74559 7f6ecf 74621 7f1e40 free 74559->74621 74560 7f6ec7 SetLastError 74560->74559 74565 7f7095 74563->74565 74564 7f6f11 74622 7f1e40 free 74564->74622 74568 7f70bb 74565->74568 74569 7f7099 wcscmp 74565->74569 74567 7f6ed3 74620 7f31e5 malloc _CxxThrowException free _CxxThrowException 74567->74620 74636 7f6bf5 11 API calls 2 library calls 74568->74636 74569->74568 74572 7f70b1 74569->74572 74570 7f6f19 74623 7f6848 74570->74623 74577 7f2f88 3 API calls 74572->74577 74575 7f70c6 74583 7f70d8 74575->74583 74590 7f7129 74575->74590 74580 7f714c 74577->74580 74579 7f2e04 2 API calls 74579->74582 74639 7f1e40 free 74580->74639 74582->74559 74582->74560 74582->74567 74582->74579 74617 7f6bb5 17 API calls 74582->74617 74618 7f22bf CharUpperW 74582->74618 74619 7f1e40 free 74582->74619 74637 7f1e40 free 74583->74637 74585 7f6f2b 74627 7f1e40 free 74585->74627 74587->74555 74589 7f6ff2 74589->74514 74589->74526 74590->74572 74591->74414 74592->74416 74593->74484 74594->74484 74596 7f6872 __EH_prolog 74595->74596 74597 7f6848 FindClose 74596->74597 74599 7f6880 74597->74599 74598 7f68f6 74598->74522 74638 7f717b 13 API calls 74598->74638 74599->74598 74600 7f689b FindFirstFileW 74599->74600 74601 7f68a9 74599->74601 74600->74601 74603 7f2e04 2 API calls 74601->74603 74610 7f68ee 74601->74610 74604 7f68ba 74603->74604 74640 7f8b4a 74604->74640 74606 7f68d0 74607 7f68d4 FindFirstFileW 74606->74607 74608 7f68e2 74606->74608 74607->74608 74645 7f1e40 free 74608->74645 74610->74598 74646 7f6919 malloc _CxxThrowException free 74610->74646 74611->74511 74612->74509 74614 7f7656 CloseHandle 74613->74614 74615 7f7661 74613->74615 74614->74615 74615->74498 74616->74524 74617->74582 74618->74582 74619->74582 74620->74559 74621->74564 74622->74570 74624 7f6852 FindClose 74623->74624 74625 7f685d 74623->74625 74624->74625 74626 7f1e40 free 74625->74626 74626->74585 74627->74498 74628->74544 74629->74506 74630->74521 74631->74522 74632->74589 74633->74542 74634->74556 74635->74558 74636->74575 74637->74589 74638->74522 74639->74587 74647 7f8b80 74640->74647 74642 7f8b6e 74642->74606 74644 7f2f88 3 API calls 74644->74642 74645->74610 74646->74598 74649 7f8b8a __EH_prolog 74647->74649 74648 7f8b55 74648->74642 74648->74644 74649->74648 74650 7f8c7b 74649->74650 74656 7f8be1 74649->74656 74651 7f8d23 74650->74651 74653 7f8c8f 74650->74653 74652 7f8e8a 74651->74652 74655 7f8d3b 74651->74655 74654 7f2e47 2 API calls 74652->74654 74653->74655 74659 7f8c9e 74653->74659 74657 7f8e96 74654->74657 74658 7f2e04 2 API calls 74655->74658 74656->74648 74660 7f2e47 2 API calls 74656->74660 74665 7f2e47 2 API calls 74657->74665 74661 7f8d43 74658->74661 74662 7f2e47 2 API calls 74659->74662 74663 7f8c05 74660->74663 74744 7f6332 6 API calls 2 library calls 74661->74744 74673 7f8ca7 74662->74673 74668 7f8c17 74663->74668 74669 7f8c24 74663->74669 74667 7f8eb8 74665->74667 74666 7f8d52 74697 7f8d56 74666->74697 74745 7f859e malloc _CxxThrowException free _CxxThrowException 74666->74745 74756 7f8f57 memmove 74667->74756 74734 7f1e40 free 74668->74734 74676 7f2e47 2 API calls 74669->74676 74677 7f2e47 2 API calls 74673->74677 74675 7f8ec4 74678 7f8ede 74675->74678 74679 7f8ec8 74675->74679 74680 7f8c35 74676->74680 74683 7f8cd0 74677->74683 74759 7f3221 malloc _CxxThrowException free _CxxThrowException 74678->74759 74757 7f1e40 free 74679->74757 74735 7f8f57 memmove 74680->74735 74739 7f8f57 memmove 74683->74739 74685 7f8c41 74690 7f8c6b 74685->74690 74736 7f31e5 malloc _CxxThrowException free _CxxThrowException 74685->74736 74686 7f8eeb 74760 7f31e5 malloc _CxxThrowException free _CxxThrowException 74686->74760 74688 7f8ed0 74758 7f1e40 free 74688->74758 74738 7f1e40 free 74690->74738 74691 7f8cdc 74694 7f8d13 74691->74694 74740 7f3221 malloc _CxxThrowException free _CxxThrowException 74691->74740 74743 7f1e40 free 74694->74743 74755 7f1e40 free 74697->74755 74698 7f8f06 74700 7f2e04 2 API calls 74705 7f8ddf 74700->74705 74701 7f8c60 74737 7f31e5 malloc _CxxThrowException free _CxxThrowException 74701->74737 74703 7f8c73 74763 7f1e40 free 74703->74763 74704 7f8ced 74741 7f31e5 malloc _CxxThrowException free _CxxThrowException 74704->74741 74710 7f8e0e 74705->74710 74714 7f8df1 74705->74714 74715 7f2f88 3 API calls 74710->74715 74712 7f8d65 74712->74697 74712->74700 74713 7f8d08 74742 7f31e5 malloc _CxxThrowException free _CxxThrowException 74713->74742 74746 7f3199 malloc _CxxThrowException free _CxxThrowException 74714->74746 74718 7f8e0c 74715->74718 74719 7f8e03 74734->74648 74735->74685 74736->74701 74737->74690 74738->74703 74739->74691 74740->74704 74741->74713 74742->74694 74743->74703 74744->74666 74745->74712 74746->74719 74755->74648 74756->74675 74757->74688 74758->74648 74759->74686 74760->74698 74763->74648 74764 82acd3 74765 82ace0 74764->74765 74769 82acf1 74764->74769 74765->74769 74770 82acf8 74765->74770 74775 82c0b3 __EH_prolog 74770->74775 74771 82c0ed 74787 7f1e40 free 74771->74787 74773 82aceb 74777 7f1e40 free 74773->74777 74775->74771 74778 817193 74775->74778 74786 7f1e40 free 74775->74786 74777->74769 74779 81719d __EH_prolog 74778->74779 74788 822db9 free ctype 74779->74788 74781 8171b3 74789 8171d5 free __EH_prolog ctype 74781->74789 74783 8171bf 74790 7f1e40 free 74783->74790 74785 8171c7 74785->74775 74786->74775 74787->74773 74788->74781 74789->74783 74790->74785 74791 86f190 74792 7f1e0c ctype 2 API calls 74791->74792 74793 86f1b0 74792->74793 74794 8769d0 74795 8769d7 malloc 74794->74795 74796 8769d4 74794->74796 74798 801ade 74799 801ae8 __EH_prolog 74798->74799 74849 7f13f5 74799->74849 74802 801b32 6 API calls 74804 801b8d 74802->74804 74813 801bf8 74804->74813 74867 801ea4 9 API calls 74804->74867 74805 801b24 _CxxThrowException 74805->74802 74807 801bdf 74868 7f27bb 74807->74868 74811 801c89 74863 801eb9 74811->74863 74813->74811 74875 811d73 5 API calls __EH_prolog 74813->74875 74816 801cb2 _CxxThrowException 74816->74811 74850 7f13ff __EH_prolog 74849->74850 74851 817ebb free 74850->74851 74852 7f142b 74851->74852 74853 7f1438 74852->74853 74876 7f1212 free ctype 74852->74876 74855 7f1e0c ctype 2 API calls 74853->74855 74858 7f144d 74855->74858 74856 8304d2 5 API calls 74856->74858 74858->74856 74860 7f1507 74858->74860 74862 7f14f4 74858->74862 74877 7f1265 5 API calls 2 library calls 74858->74877 74878 7f1524 malloc _CxxThrowException __EH_prolog ctype 74858->74878 74861 7f2fec 3 API calls 74860->74861 74861->74862 74862->74802 74866 811d73 5 API calls __EH_prolog 74862->74866 74879 7f9313 GetCurrentProcess OpenProcessToken 74863->74879 74866->74805 74867->74807 74869 7f27c7 74868->74869 74870 7f27e3 74868->74870 74869->74870 74871 7f1e0c ctype 2 API calls 74869->74871 74874 7f1e40 free 74870->74874 74872 7f27da 74871->74872 74886 7f1e40 free 74872->74886 74874->74813 74875->74816 74876->74853 74877->74858 74878->74858 74880 7f933a LookupPrivilegeValueW 74879->74880 74881 7f9390 74879->74881 74882 7f934c AdjustTokenPrivileges 74880->74882 74883 7f9382 74880->74883 74882->74883 74884 7f9372 GetLastError 74882->74884 74885 7f9385 CloseHandle 74883->74885 74884->74885 74885->74881 74886->74870 74887 80459e 74888 8045ab 74887->74888 74889 8045bc 74887->74889 74888->74889 74893 8045c3 74888->74893 74894 8045cd __EH_prolog 74893->74894 74922 8079b2 free ctype 74894->74922 74896 8045e8 74923 7f1e40 free 74896->74923 74898 8045f3 74924 822db9 free ctype 74898->74924 74900 804609 74925 7f1e40 free 74900->74925 74902 804610 74926 7f1e40 free 74902->74926 74904 80461b 74927 7f1e40 free 74904->74927 74906 804626 74928 80794c free ctype 74906->74928 74908 804638 74929 822db9 free ctype 74908->74929 74910 80465b 74930 7f1e40 free 74910->74930 74912 80468e 74931 7f1e40 free 74912->74931 74914 8046ae 74932 804733 free __EH_prolog ctype 74914->74932 74916 8046be 74933 7f1e40 free 74916->74933 74918 8046e8 74934 7f1e40 free 74918->74934 74920 8045b6 74921 7f1e40 free 74920->74921 74921->74889 74922->74896 74923->74898 74924->74900 74925->74902 74926->74904 74927->74906 74928->74908 74929->74910 74930->74912 74931->74914 74932->74916 74933->74918 74934->74920 74935 7f7b20 74938 7f7ab2 74935->74938 74939 7f7ac5 74938->74939 74946 7f759a 74939->74946 74942 7f7b03 74960 7f7919 74942->74960 74943 7f7aeb SetFileTime 74943->74942 74947 7f75a4 __EH_prolog 74946->74947 74948 7f764c CloseHandle 74947->74948 74950 7f75af 74948->74950 74949 7f7632 74949->74942 74949->74943 74950->74949 74951 7f75e9 74950->74951 74952 7f75d4 CreateFileW 74950->74952 74951->74949 74953 7f2e04 2 API calls 74951->74953 74952->74951 74954 7f75fb 74953->74954 74955 7f8b4a 9 API calls 74954->74955 74956 7f7611 74955->74956 74957 7f762a 74956->74957 74958 7f7615 CreateFileW 74956->74958 74976 7f1e40 free 74957->74976 74958->74957 74961 7f7aac 74960->74961 74962 7f793c 74960->74962 74962->74961 74963 7f7945 DeviceIoControl 74962->74963 74964 7f7969 74963->74964 74965 7f79e6 74963->74965 74964->74965 74971 7f79a7 74964->74971 74966 7f79ef DeviceIoControl 74965->74966 74969 7f7a14 74965->74969 74967 7f7a22 DeviceIoControl 74966->74967 74966->74969 74968 7f7a44 DeviceIoControl 74967->74968 74967->74969 74968->74969 74969->74961 74978 7f780d 8 API calls ctype 74969->74978 74977 7f9252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 74971->74977 74972 7f7aa5 74979 7f77de 74972->74979 74975 7f79d0 74975->74965 74976->74949 74977->74975 74978->74972 74982 7f77c8 74979->74982 74983 7f7731 5 API calls 74982->74983 74984 7f77db 74983->74984 74984->74961 74985 82c2e6 74986 82c52f 74985->74986 74989 82544f SetConsoleCtrlHandler 74986->74989 74988 82c53b 74989->74988 74990 876ba3 VirtualFree 74991 83bf67 74992 83bf74 74991->74992 74993 83bf85 74991->74993 74992->74993 74997 83bf8c 74992->74997 74998 83bf96 __EH_prolog 74997->74998 75014 83d144 74998->75014 75002 83bfd0 75021 7f1e40 free 75002->75021 75004 83bfdb 75022 7f1e40 free 75004->75022 75006 83bfe6 75023 83c072 free ctype 75006->75023 75008 83bff4 75024 80aafa free VariantClear ctype 75008->75024 75010 83c023 75025 8173d2 free VariantClear __EH_prolog ctype 75010->75025 75012 83bf7f 75013 7f1e40 free 75012->75013 75013->74993 75016 83d14e __EH_prolog 75014->75016 75015 83d1b7 free 75017 83d180 75015->75017 75016->75015 75026 838e04 memset 75017->75026 75019 83bfc5 75020 7f1e40 free 75019->75020 75020->75002 75021->75004 75022->75006 75023->75008 75024->75010 75025->75012 75026->75019 75027 7fb5d9 75028 7fb5e6 75027->75028 75032 7fb5f7 75027->75032 75028->75032 75033 7fb5fe 75028->75033 75034 7fb608 __EH_prolog 75033->75034 75040 876a40 VirtualFree 75034->75040 75036 7fb63d 75037 7f764c CloseHandle 75036->75037 75038 7fb5f1 75037->75038 75039 7f1e40 free 75038->75039 75039->75032 75040->75036 75041 887da0 WaitForSingleObject 75042 887dbb GetLastError 75041->75042 75043 887dc1 75041->75043 75042->75043 75044 887dce CloseHandle 75043->75044 75046 887ddf 75043->75046 75045 887dd9 GetLastError 75044->75045 75044->75046 75045->75046 75047 801368 75049 80136d 75047->75049 75050 80138c 75049->75050 75053 887d80 WaitForSingleObject 75049->75053 75056 82f745 75049->75056 75060 887ea0 SetEvent GetLastError 75049->75060 75054 887d98 75053->75054 75055 887d8e GetLastError 75053->75055 75054->75049 75055->75054 75057 82f74f __EH_prolog 75056->75057 75061 82f784 75057->75061 75059 82f765 75059->75049 75060->75049 75062 82f78e __EH_prolog 75061->75062 75063 8012d4 4 API calls 75062->75063 75064 82f7c7 75063->75064 75065 8012d4 4 API calls 75064->75065 75066 82f7d4 75065->75066 75067 82f871 75066->75067 75070 7fc4d6 75066->75070 75076 876b23 VirtualAlloc 75066->75076 75067->75059 75074 7fc4e9 75070->75074 75071 7fc6f3 75071->75067 75072 80111c 10 API calls 75072->75074 75074->75071 75074->75072 75075 7fc695 memmove 75074->75075 75077 8011b4 75074->75077 75075->75074 75076->75067 75078 8011c1 75077->75078 75079 8011eb 75078->75079 75082 83ae7c 75078->75082 75087 83af27 75078->75087 75079->75074 75083 83ae86 75082->75083 75094 807190 75083->75094 75107 807140 75083->75107 75084 83aebb 75084->75078 75088 83af36 75087->75088 75091 83b010 75088->75091 75092 83aeeb 107 API calls 75088->75092 75189 7fbd0c 75088->75189 75194 83ad3a 75088->75194 75198 83aebf 107 API calls 75088->75198 75091->75078 75092->75088 75095 80719a __EH_prolog 75094->75095 75096 8071b0 75095->75096 75101 8071dd 75095->75101 75137 804d78 75096->75137 75099 8071b7 75099->75084 75100 807236 75100->75099 75102 8072b4 75100->75102 75106 8072a3 SetFileSecurityW 75100->75106 75111 806fc5 75101->75111 75103 804d78 VariantClear 75102->75103 75104 8072c0 75102->75104 75103->75104 75104->75099 75105 807140 7 API calls 75104->75105 75105->75099 75106->75102 75108 80718d 75107->75108 75109 80714b 75107->75109 75108->75084 75109->75108 75188 804dff 7 API calls 2 library calls 75109->75188 75112 806fcf __EH_prolog 75111->75112 75140 8044a6 75112->75140 75117 80709e 75167 7f1e40 free 75117->75167 75119 807029 75123 80706a 75119->75123 75162 804dff 7 API calls 2 library calls 75119->75162 75121 807051 75121->75123 75125 8011b4 107 API calls 75121->75125 75143 8068ac 75123->75143 75124 8070c0 75163 7f6096 15 API calls 2 library calls 75124->75163 75125->75123 75126 80712e 75126->75100 75128 8070d1 75129 8070e2 75128->75129 75164 804dff 7 API calls 2 library calls 75128->75164 75133 8070e6 75129->75133 75165 806b5e 69 API calls 2 library calls 75129->75165 75132 8070fd 75132->75133 75134 807103 75132->75134 75133->75117 75166 7f1e40 free 75134->75166 75136 80710b 75136->75126 75181 819262 75137->75181 75141 7f2e04 2 API calls 75140->75141 75142 8044be 75141->75142 75142->75119 75142->75123 75161 806e71 12 API calls 2 library calls 75142->75161 75144 8068b6 __EH_prolog 75143->75144 75146 806921 75144->75146 75159 8068c5 75144->75159 75169 7f7d4b 75144->75169 75147 806962 75146->75147 75151 806998 75146->75151 75175 806a17 6 API calls 2 library calls 75146->75175 75147->75151 75176 7f2dcd malloc _CxxThrowException 75147->75176 75150 8069e1 75179 7fbcf8 CloseHandle 75150->75179 75151->75150 75168 7f7c3b SetFileTime 75151->75168 75153 80697a 75177 806b09 13 API calls __EH_prolog 75153->75177 75158 80698c 75178 7f1e40 free 75158->75178 75159->75117 75159->75124 75161->75119 75162->75121 75163->75128 75164->75129 75165->75132 75166->75136 75167->75126 75168->75150 75170 7f77c8 5 API calls 75169->75170 75172 7f7d62 75170->75172 75171 7f7d76 75171->75146 75174 804dff 7 API calls 2 library calls 75171->75174 75172->75171 75180 7f7d3c SetEndOfFile 75172->75180 75174->75146 75175->75147 75176->75153 75177->75158 75178->75151 75179->75159 75180->75171 75183 81926c __EH_prolog 75181->75183 75182 8192a4 75185 7f965d VariantClear 75182->75185 75183->75182 75184 8192fc 75183->75184 75186 7f965d VariantClear 75184->75186 75187 804d91 75185->75187 75186->75187 75187->75099 75188->75108 75199 7f7ca2 75189->75199 75192 7fbd3d 75192->75088 75195 83ad44 __EH_prolog 75194->75195 75207 806305 75195->75207 75196 83adbf 75196->75088 75198->75088 75200 7f7caf 75199->75200 75202 7f7cdb 75200->75202 75204 7f7c68 75200->75204 75202->75192 75203 7fb8ec GetLastError 75202->75203 75203->75192 75205 7f7c79 WriteFile 75204->75205 75206 7f7c76 75204->75206 75205->75200 75206->75205 75208 80630f __EH_prolog 75207->75208 75244 8062b9 75208->75244 75210 806427 75213 7f965d VariantClear 75210->75213 75212 80644a 75214 7f965d VariantClear 75212->75214 75243 806445 75213->75243 75215 80646b 75214->75215 75248 805126 75215->75248 75218 818b05 VariantClear 75219 80648a 75218->75219 75220 804d78 VariantClear 75219->75220 75219->75243 75221 806499 75220->75221 75223 8064ca 75221->75223 75221->75243 75400 805110 9 API calls 75221->75400 75227 8064da 75223->75227 75223->75243 75401 7f42e3 CharUpperW 75223->75401 75224 8065de 75225 8065e7 75224->75225 75226 80669e 75224->75226 75229 7f1e0c ctype 2 API calls 75225->75229 75231 8065f6 75225->75231 75232 806754 75226->75232 75233 8066b8 75226->75233 75226->75243 75227->75224 75227->75243 75402 80789c free memmove ctype 75227->75402 75229->75231 75403 8136ea 75231->75403 75290 805bea 75232->75290 75236 7f1e0c ctype 2 API calls 75233->75236 75235 80666b 75416 7f1e40 free 75235->75416 75236->75243 75238 80665c 75415 7f31e5 malloc _CxxThrowException free _CxxThrowException 75238->75415 75243->75196 75245 8062c9 75244->75245 75417 818fa4 75245->75417 75249 805130 __EH_prolog 75248->75249 75250 8051b4 75249->75250 75255 80518e 75249->75255 75461 7f3097 malloc _CxxThrowException free SysStringLen ctype 75249->75461 75253 7f965d VariantClear 75250->75253 75250->75255 75252 7f965d VariantClear 75261 80527f 75252->75261 75254 8051bc 75253->75254 75254->75255 75256 805206 75254->75256 75257 805289 75254->75257 75255->75252 75462 7f3097 malloc _CxxThrowException free SysStringLen ctype 75256->75462 75257->75255 75258 805221 75257->75258 75260 7f965d VariantClear 75258->75260 75262 80522d 75260->75262 75261->75218 75261->75243 75262->75261 75263 805351 75262->75263 75463 805459 malloc _CxxThrowException __EH_prolog 75262->75463 75263->75261 75270 8053a1 75263->75270 75468 7f35e7 memmove 75263->75468 75266 8052ba 75464 7f8011 5 API calls ctype 75266->75464 75268 8052cf 75280 8052fd 75268->75280 75465 7f823d 10 API calls 2 library calls 75268->75465 75270->75261 75469 7f43b7 5 API calls 2 library calls 75270->75469 75273 8052e5 75274 7f2fec 3 API calls 75273->75274 75276 8052f5 75274->75276 75275 80540e 75471 80789c free memmove ctype 75275->75471 75466 7f1e40 free 75276->75466 75467 8054a0 free ctype 75280->75467 75281 80541c 75283 8136ea 5 API calls 75281->75283 75282 8053df 75282->75275 75282->75281 75470 7f42e3 CharUpperW 75282->75470 75284 805427 75283->75284 75285 7f2fec 3 API calls 75284->75285 75286 805433 75285->75286 75472 7f1e40 free 75286->75472 75288 80543b 75473 822db9 free ctype 75288->75473 75291 805bf4 __EH_prolog 75290->75291 75474 8054c0 75291->75474 75294 818b05 VariantClear 75295 805c34 75294->75295 75336 805e17 75295->75336 75489 805630 75295->75489 75298 8136ea 5 API calls 75299 805c51 75298->75299 75300 805c60 75299->75300 75586 8057c1 53 API calls 2 library calls 75299->75586 75301 7f2f1c 2 API calls 75300->75301 75303 805c6c 75301->75303 75306 805caa 75303->75306 75587 806217 4 API calls 2 library calls 75303->75587 75305 805c91 75307 7f2fec 3 API calls 75305->75307 75312 7f2e04 2 API calls 75306->75312 75365 805d49 75306->75365 75309 805d91 75310 805d55 75315 805cd2 75312->75315 75336->75243 75365->75309 75365->75310 75400->75223 75401->75223 75402->75224 75404 8136f4 __EH_prolog 75403->75404 75405 7f2e04 2 API calls 75404->75405 75411 81370a 75405->75411 75406 813736 75407 7f2f1c 2 API calls 75406->75407 75410 813742 75407->75410 75660 7f1e40 free 75410->75660 75411->75406 75661 7f1089 malloc _CxxThrowException free _CxxThrowException 75411->75661 75662 7f31e5 malloc _CxxThrowException free _CxxThrowException 75411->75662 75413 806633 75413->75235 75413->75238 75414 7f1089 malloc _CxxThrowException free _CxxThrowException 75413->75414 75414->75238 75415->75235 75416->75243 75418 818fae __EH_prolog 75417->75418 75419 817ebb free 75418->75419 75420 818ff2 75419->75420 75451 818b64 75420->75451 75423 806302 75423->75210 75423->75212 75423->75243 75425 819020 75425->75423 75426 7f2fec 3 API calls 75425->75426 75427 81903a 75426->75427 75440 81904d 75427->75440 75455 818b80 VariantClear 75427->75455 75429 8191b0 75458 818b9c 10 API calls 2 library calls 75429->75458 75430 819244 75460 7f43b7 5 API calls 2 library calls 75430->75460 75431 819144 75434 7f2f88 3 API calls 75431->75434 75439 81917b 75431->75439 75434->75439 75435 819100 75438 7f965d VariantClear 75435->75438 75436 8191c0 75436->75423 75443 7f2f88 3 API calls 75436->75443 75437 8190d6 75437->75435 75442 8190e7 75437->75442 75457 818f2e 9 API calls 75437->75457 75438->75423 75439->75429 75439->75430 75440->75423 75440->75431 75440->75435 75440->75437 75456 7f3097 malloc _CxxThrowException free SysStringLen ctype 75440->75456 75445 7f965d VariantClear 75442->75445 75449 8191ff 75443->75449 75445->75431 75446 819112 75446->75435 75447 818b64 VariantClear 75446->75447 75448 819123 75447->75448 75448->75435 75448->75442 75449->75423 75459 7f50ff free ctype 75449->75459 75452 818b05 VariantClear 75451->75452 75453 818b6f 75452->75453 75453->75423 75454 818f2e 9 API calls 75453->75454 75454->75425 75455->75440 75456->75437 75457->75446 75458->75436 75459->75423 75460->75423 75461->75250 75462->75258 75463->75266 75464->75268 75465->75273 75466->75280 75467->75263 75468->75263 75469->75282 75470->75282 75471->75281 75472->75288 75473->75261 75475 8054ca __EH_prolog 75474->75475 75476 7f965d VariantClear 75475->75476 75479 805507 75475->75479 75481 805528 75476->75481 75477 7f965d VariantClear 75478 805567 75477->75478 75478->75294 75478->75336 75479->75477 75480 805572 75482 7f965d VariantClear 75480->75482 75481->75479 75481->75480 75483 80558e 75482->75483 75611 804cac VariantClear __EH_prolog 75483->75611 75485 8055a1 75485->75478 75612 804cac VariantClear __EH_prolog 75485->75612 75487 8055b8 75487->75478 75613 804cac VariantClear __EH_prolog 75487->75613 75490 80563a __EH_prolog 75489->75490 75492 805679 75490->75492 75614 813558 10 API calls 2 library calls 75490->75614 75493 80571a 75492->75493 75494 7f2f1c 2 API calls 75492->75494 75493->75298 75495 805696 75494->75495 75615 813333 malloc _CxxThrowException free 75495->75615 75497 8056a2 75498 8056c5 75497->75498 75499 8056ad 75497->75499 75501 8056b4 75498->75501 75617 7f4adf wcscmp 75498->75617 75616 807853 5 API calls 2 library calls 75499->75616 75503 805707 75501->75503 75619 7f1089 malloc _CxxThrowException free _CxxThrowException 75501->75619 75620 7f31e5 malloc _CxxThrowException free _CxxThrowException 75503->75620 75505 8056d2 75505->75501 75618 807853 5 API calls 2 library calls 75505->75618 75507 805712 75586->75300 75587->75305 75611->75485 75612->75487 75613->75478 75614->75492 75615->75497 75616->75501 75617->75505 75618->75501 75619->75503 75620->75507 75660->75413 75661->75411 75662->75411 75663 82a42c 75664 82a435 fputs 75663->75664 75665 82a449 75663->75665 75821 7f1fa0 fputc 75664->75821 75822 82545d 75665->75822 75669 7f2e04 2 API calls 75670 82a4a1 75669->75670 75826 811858 75670->75826 75672 82a4c9 75888 7f1e40 free 75672->75888 75674 82a4d8 75675 82a4ee 75674->75675 75889 82c7d7 75674->75889 75677 82a50e 75675->75677 75897 8257fb 75675->75897 75907 82c73e 75677->75907 75681 82aae5 76084 822db9 free ctype 75681->76084 75683 82ac17 76085 822db9 free ctype 75683->76085 75684 7f1e0c ctype 2 API calls 75686 82a53a 75684->75686 75688 82a54d 75686->75688 76043 82b0fa malloc _CxxThrowException __EH_prolog 75686->76043 75687 82ac23 75689 82ac3a 75687->75689 75692 82ac35 75687->75692 75694 7f2fec 3 API calls 75688->75694 76087 82b96d _CxxThrowException 75689->76087 76086 82b988 33 API calls __aulldiv 75692->76086 75693 82ac42 76088 7f1e40 free 75693->76088 75700 82a586 75694->75700 75697 82ac4d 76089 813247 75697->76089 75925 82ad06 75700->75925 75704 82ac7d 76096 7f11c2 free __EH_prolog ctype 75704->76096 75708 82ac89 75821->75665 75823 825473 75822->75823 75824 825466 75822->75824 75823->75669 76099 7f275e malloc _CxxThrowException free ctype 75824->76099 75827 811862 __EH_prolog 75826->75827 76100 81021a 75827->76100 75832 8118b9 76114 811aa5 free __EH_prolog ctype 75832->76114 75834 811935 76119 811aa5 free __EH_prolog ctype 75834->76119 75835 8118c7 76115 822db9 free ctype 75835->76115 75838 811944 75860 811966 75838->75860 76120 811d73 5 API calls __EH_prolog 75838->76120 75840 8118d3 75840->75672 75842 8304d2 5 API calls 75846 8118db 75842->75846 75843 811958 _CxxThrowException 75843->75860 75845 8119be 76123 81f1f1 malloc _CxxThrowException free _CxxThrowException 75845->76123 75846->75834 75846->75842 76116 810144 malloc _CxxThrowException free _CxxThrowException 75846->76116 76117 7f1524 malloc _CxxThrowException __EH_prolog ctype 75846->76117 76118 7f1e40 free 75846->76118 75848 7f2e04 2 API calls 75848->75860 75850 8119d6 75852 817ebb free 75850->75852 75851 7f631f 9 API calls 75851->75860 75853 8119e1 75852->75853 75855 8012d4 4 API calls 75853->75855 75854 8304d2 5 API calls 75854->75860 75856 8119ea 75855->75856 75857 817ebb free 75856->75857 75859 8119f7 75857->75859 75861 8012d4 4 API calls 75859->75861 75860->75845 75860->75848 75860->75851 75860->75854 76121 7f1524 malloc _CxxThrowException __EH_prolog ctype 75860->76121 76122 7f1e40 free 75860->76122 75870 8119ff 75861->75870 75863 811a4f 76125 7f1e40 free 75863->76125 75864 7f1524 malloc _CxxThrowException 75864->75870 75866 811a57 76126 822db9 free ctype 75866->76126 75868 811a64 76127 822db9 free ctype 75868->76127 75870->75863 75870->75864 75872 811a83 75870->75872 76124 7f42e3 CharUpperW 75870->76124 76128 811d73 5 API calls __EH_prolog 75872->76128 75874 811a97 _CxxThrowException 75875 811aa5 __EH_prolog 75874->75875 76129 7f1e40 free 75875->76129 75877 811ac8 76130 8102e8 free ctype 75877->76130 75879 811ad1 76131 811eab free __EH_prolog ctype 75879->76131 75881 811add 76132 7f1e40 free 75881->76132 75883 811ae5 76133 7f1e40 free 75883->76133 75885 811aed 76134 822db9 free ctype 75885->76134 75887 811afa 75887->75672 75888->75674 75890 82c7ea 75889->75890 75891 82c849 75889->75891 75892 82c7fe fputs 75890->75892 76262 7f25cb malloc _CxxThrowException free _CxxThrowException ctype 75890->76262 75893 82c85a 75891->75893 76263 7f1f91 fflush 75891->76263 75892->75891 75893->75675 75898 825805 __EH_prolog 75897->75898 75906 825847 75898->75906 76264 7f26dd 75898->76264 75904 82583f 76284 7f1e40 free 75904->76284 75906->75677 75908 82c748 __EH_prolog 75907->75908 75909 82c7d7 ctype 6 API calls 75908->75909 75910 82c75d 75909->75910 76323 7f1e40 free 75910->76323 75912 82c768 75913 812c0b ctype free 75912->75913 75914 82c775 75913->75914 76324 7f1e40 free 75914->76324 75916 82c77d 76325 7f1e40 free 75916->76325 75918 82c785 76326 7f1e40 free 75918->76326 75920 82c78d 76327 7f1e40 free 75920->76327 75922 82c795 75923 812c0b ctype free 75922->75923 75924 82a51d 75923->75924 75924->75681 75924->75684 76328 82ad29 75925->76328 75928 82bf3e 75929 7f2fec 3 API calls 75928->75929 75930 82bf85 75929->75930 75931 7f2fec 3 API calls 75930->75931 75932 82a5ee 75931->75932 75933 803a29 75932->75933 75940 803a37 75933->75940 76043->75688 76084->75683 76085->75687 76086->75689 76087->75693 76088->75697 76090 81324e 76089->76090 76091 813260 76090->76091 77046 7f1e40 free 76090->77046 77045 7f1e40 free 76091->77045 76094 813267 76095 7f1e40 free 76094->76095 76095->75704 76096->75708 76099->75823 76101 810224 __EH_prolog 76100->76101 76135 803d66 76101->76135 76104 81062e 76105 810638 __EH_prolog 76104->76105 76106 8106de 76105->76106 76110 8101bc malloc _CxxThrowException free _CxxThrowException memcpy 76105->76110 76113 8106ee 76105->76113 76151 810703 76105->76151 76221 822db9 free ctype 76105->76221 76222 81019a malloc _CxxThrowException free memcpy 76106->76222 76108 8106e6 76223 811453 26 API calls 2 library calls 76108->76223 76110->76105 76113->75832 76113->75846 76114->75835 76115->75840 76116->75846 76117->75846 76118->75846 76119->75838 76120->75843 76121->75860 76122->75860 76123->75850 76124->75870 76125->75866 76126->75868 76127->75840 76128->75874 76129->75877 76130->75879 76131->75881 76132->75883 76133->75885 76134->75887 76146 88fb10 76135->76146 76137 803d70 GetCurrentProcess 76147 803e04 76137->76147 76139 803d8d OpenProcessToken 76140 803de3 76139->76140 76141 803d9e LookupPrivilegeValueW 76139->76141 76143 803e04 CloseHandle 76140->76143 76141->76140 76142 803dc0 AdjustTokenPrivileges 76141->76142 76142->76140 76144 803dd5 GetLastError 76142->76144 76145 803def 76143->76145 76144->76140 76145->76104 76146->76137 76148 803e11 CloseHandle 76147->76148 76149 803e0d 76147->76149 76150 803e21 76148->76150 76149->76139 76150->76139 76152 81070d __EH_prolog 76151->76152 76161 7f2da9 2 API calls 76152->76161 76166 810c83 76152->76166 76167 810b40 76152->76167 76171 7f2e04 2 API calls 76152->76171 76181 7f2fec 3 API calls 76152->76181 76191 810b26 76152->76191 76200 7f1524 malloc _CxxThrowException 76152->76200 76201 7f1e40 free ctype 76152->76201 76206 810ab5 76152->76206 76216 810b48 76152->76216 76217 8304d2 malloc _CxxThrowException free _CxxThrowException memcpy 76152->76217 76220 822db9 free ctype 76152->76220 76224 7f2f4a malloc _CxxThrowException free ctype 76152->76224 76225 7f1089 malloc _CxxThrowException free _CxxThrowException 76152->76225 76226 8113eb 5 API calls 2 library calls 76152->76226 76227 81050b 76152->76227 76232 810021 GetLastError 76152->76232 76233 7f49bd 9 API calls 2 library calls 76152->76233 76234 810306 12 API calls 76152->76234 76235 80ff00 5 API calls 2 library calls 76152->76235 76236 81057d 16 API calls 2 library calls 76152->76236 76237 810f8e 24 API calls 2 library calls 76152->76237 76238 7f472e CharUpperW 76152->76238 76239 808984 malloc _CxxThrowException free _CxxThrowException memcpy 76152->76239 76240 810ef4 68 API calls 2 library calls 76152->76240 76153 810e1d 76259 810416 18 API calls 2 library calls 76153->76259 76155 810ea6 76261 83ec78 free ctype 76155->76261 76156 810d11 76253 7f7496 7 API calls 2 library calls 76156->76253 76159 810c13 76250 7f1e40 free 76159->76250 76161->76152 76163 810de0 76255 822db9 free ctype 76163->76255 76164 7f2da9 2 API calls 76164->76206 76165 810e47 76165->76155 76260 81117d 68 API calls 2 library calls 76165->76260 76166->76153 76166->76156 76167->76105 76168 7f2f1c 2 API calls 76196 810d29 76168->76196 76170 810df8 76257 7f1e40 free 76170->76257 76171->76152 76173 7f2e04 2 API calls 76173->76206 76177 810e02 76258 822db9 free ctype 76177->76258 76178 7f2e04 2 API calls 76178->76196 76181->76152 76184 7f2fec 3 API calls 76184->76196 76185 7f2fec 3 API calls 76185->76206 76189 81050b 44 API calls 76189->76206 76242 7f1e40 free 76191->76242 76192 810df3 76256 7f1e40 free 76192->76256 76194 7f1e40 free ctype 76194->76196 76196->76163 76196->76168 76196->76170 76196->76178 76196->76184 76196->76192 76196->76194 76254 81117d 68 API calls 2 library calls 76196->76254 76198 810c79 76252 7f1e40 free 76198->76252 76199 810b30 76243 7f1e40 free 76199->76243 76200->76152 76201->76152 76202 7f1e40 free ctype 76202->76206 76206->76159 76206->76164 76206->76173 76206->76185 76206->76189 76206->76198 76206->76202 76241 7f2f4a malloc _CxxThrowException free ctype 76206->76241 76246 7f1089 malloc _CxxThrowException free _CxxThrowException 76206->76246 76247 8113eb 5 API calls 2 library calls 76206->76247 76248 810ef4 68 API calls 2 library calls 76206->76248 76249 822db9 free ctype 76206->76249 76251 810021 GetLastError 76206->76251 76207 810b38 76244 7f1e40 free 76207->76244 76245 822db9 free ctype 76216->76245 76217->76152 76220->76152 76221->76105 76222->76108 76223->76113 76224->76152 76225->76152 76226->76152 76228 7f6c72 44 API calls 76227->76228 76231 81051e 76228->76231 76229 810575 76229->76152 76230 7f2f88 3 API calls 76230->76229 76231->76229 76231->76230 76232->76152 76233->76152 76234->76152 76235->76152 76236->76152 76237->76152 76238->76152 76239->76152 76240->76152 76241->76206 76242->76199 76243->76207 76244->76167 76245->76191 76246->76206 76247->76206 76248->76206 76249->76206 76250->76167 76251->76206 76252->76166 76253->76196 76254->76196 76255->76167 76256->76170 76257->76177 76258->76167 76259->76165 76260->76165 76261->76167 76262->75892 76263->75893 76265 7f1e0c ctype 2 API calls 76264->76265 76266 7f26ea 76265->76266 76267 825678 76266->76267 76268 8256b1 76267->76268 76269 825689 76267->76269 76285 825593 76268->76285 76270 825593 6 API calls 76269->76270 76272 8256a5 76270->76272 76299 7f28a1 76272->76299 76277 82570e fputs 76283 7f1fa0 fputc 76277->76283 76279 8256ef 76280 825593 6 API calls 76279->76280 76281 825701 76280->76281 76282 825711 6 API calls 76281->76282 76282->76277 76283->75904 76284->75906 76286 8255ad 76285->76286 76287 7f28a1 5 API calls 76286->76287 76288 8255b8 76287->76288 76304 7f286d 76288->76304 76291 7f28a1 5 API calls 76292 8255c7 76291->76292 76293 825711 76292->76293 76294 825721 76293->76294 76295 8256e0 76293->76295 76296 7f28a1 5 API calls 76294->76296 76295->76277 76303 7f2881 malloc _CxxThrowException free memcpy _CxxThrowException 76295->76303 76297 82572b 76296->76297 76312 8255cd 6 API calls 76297->76312 76300 7f28b0 76299->76300 76313 7f267f 76300->76313 76302 7f28bf 76302->76268 76303->76279 76307 7f1e9d 76304->76307 76308 7f1ead 76307->76308 76309 7f1ea8 76307->76309 76308->76291 76311 7f263c malloc _CxxThrowException free memcpy _CxxThrowException 76309->76311 76311->76308 76312->76295 76314 7f26c2 76313->76314 76316 7f2693 76313->76316 76314->76302 76315 7f26c8 _CxxThrowException 76318 7f26dd 76315->76318 76316->76315 76317 7f26bc 76316->76317 76322 7f2595 malloc _CxxThrowException free memcpy ctype 76317->76322 76320 7f1e0c ctype 2 API calls 76318->76320 76321 7f26ea 76320->76321 76321->76302 76322->76314 76323->75912 76324->75916 76325->75918 76326->75920 76327->75922 76329 82ad33 __EH_prolog 76328->76329 76330 7f2e04 2 API calls 76329->76330 76331 82ad5f 76330->76331 76332 7f2e04 2 API calls 76331->76332 76333 82a5d8 76332->76333 76333->75928 77045->76094 77046->76090 77047 7f42d1 77048 7f42bd 77047->77048 77049 7f42c5 77048->77049 77050 7f1e0c ctype 2 API calls 77048->77050 77050->77049 77051 838eb1 77056 838ed1 77051->77056 77054 838ec9 77057 838edb __EH_prolog 77056->77057 77065 839267 77057->77065 77061 838efd 77070 82e5f1 free ctype 77061->77070 77063 838eb9 77063->77054 77064 7f1e40 free 77063->77064 77064->77054 77066 839271 __EH_prolog 77065->77066 77071 7f1e40 free 77066->77071 77068 838ef1 77069 83922b free CloseHandle GetLastError ctype 77068->77069 77069->77061 77070->77063 77071->77068 77072 82adb7 77073 82adc1 __EH_prolog 77072->77073 77074 7f26dd 2 API calls 77073->77074 77075 82ae1d 77074->77075 77076 7f2e04 2 API calls 77075->77076 77077 82ae38 77076->77077 77078 7f2e04 2 API calls 77077->77078 77079 82ae44 77078->77079 77080 7f2e04 2 API calls 77079->77080 77081 82ae68 77080->77081 77082 82ad29 2 API calls 77081->77082 77083 82ae85 77082->77083 77088 82af2d 77083->77088 77085 82ae94 77086 7f2e04 2 API calls 77085->77086 77087 82aeb2 77086->77087 77089 82af37 __EH_prolog 77088->77089 77100 8034f4 malloc _CxxThrowException __EH_prolog 77089->77100 77091 82afac 77092 7f2e04 2 API calls 77091->77092 77093 82afbb 77092->77093 77094 7f2e04 2 API calls 77093->77094 77095 82afca 77094->77095 77096 7f2e04 2 API calls 77095->77096 77097 82afd9 77096->77097 77098 7f2e04 2 API calls 77097->77098 77099 82afe8 77098->77099 77099->77085 77100->77091 77104 825475 77105 7f2fec 3 API calls 77104->77105 77106 8254b4 77105->77106 77107 82c911 24 API calls 77106->77107 77108 8254bb 77107->77108 77109 8769f0 free 77110 88ffb1 __setusermatherr 77111 88ffbd 77110->77111 77116 890068 _controlfp 77111->77116 77113 88ffc2 _initterm __getmainargs _initterm __p___initenv 77114 82c27c 77113->77114 77115 89001d exit _XcptFilter 77114->77115 77116->77113 77117 81cefb 77118 81cf03 77117->77118 77146 81d0cc 77117->77146 77118->77146 77164 81cae9 VariantClear 77118->77164 77120 81cf59 77120->77146 77165 81cae9 VariantClear 77120->77165 77122 81cf71 77122->77146 77166 81cae9 VariantClear 77122->77166 77124 81cf87 77124->77146 77167 81cae9 VariantClear 77124->77167 77126 81cf9d 77126->77146 77168 81cae9 VariantClear 77126->77168 77128 81cfb3 77128->77146 77169 81cae9 VariantClear 77128->77169 77130 81cfc9 77130->77146 77170 7f4504 malloc _CxxThrowException 77130->77170 77132 81cfdc 77133 7f2e04 2 API calls 77132->77133 77135 81cfe7 77133->77135 77134 81d009 77138 81d080 77134->77138 77139 81d030 77134->77139 77158 81d07b 77134->77158 77135->77134 77136 7f2f88 3 API calls 77135->77136 77136->77134 77175 817a0c CharUpperW 77138->77175 77142 7f2e04 2 API calls 77139->77142 77140 81d0c4 77179 7f1e40 free 77140->77179 77145 81d038 77142->77145 77144 81d08b 77176 80fdbc 4 API calls 2 library calls 77144->77176 77147 7f2e04 2 API calls 77145->77147 77149 81d046 77147->77149 77171 80fdbc 4 API calls 2 library calls 77149->77171 77150 81d0a7 77152 7f2fec 3 API calls 77150->77152 77154 81d0b3 77152->77154 77153 81d057 77155 7f2fec 3 API calls 77153->77155 77177 7f1e40 free 77154->77177 77157 81d063 77155->77157 77172 7f1e40 free 77157->77172 77178 7f1e40 free 77158->77178 77160 81d06b 77173 7f1e40 free 77160->77173 77162 81d073 77174 7f1e40 free 77162->77174 77164->77120 77165->77122 77166->77124 77167->77126 77168->77128 77169->77130 77170->77132 77171->77153 77172->77160 77173->77162 77174->77158 77175->77144 77176->77150 77177->77158 77178->77140 77179->77146 77180 7fb144 77181 7fb153 77180->77181 77183 7fb159 77180->77183 77182 8011b4 107 API calls 77181->77182 77182->77183 77184 82993d 77268 82b5b1 77184->77268 77187 829963 77274 801f33 77187->77274 77188 7f1fb3 11 API calls 77188->77187 77190 829975 77191 8299b7 GetStdHandle GetConsoleScreenBufferInfo 77190->77191 77192 8299ce 77190->77192 77191->77192 77193 7f1e0c ctype 2 API calls 77192->77193 77194 8299dc 77193->77194 77395 817b48 77194->77395 77196 829a29 77412 82b96d _CxxThrowException 77196->77412 77198 829a30 77413 817018 8 API calls 2 library calls 77198->77413 77200 829a7c 77414 81ddb5 6 API calls 2 library calls 77200->77414 77201 829a66 _CxxThrowException 77201->77200 77203 829aa6 77205 829aaa _CxxThrowException 77203->77205 77213 829ac0 77203->77213 77204 829a37 77204->77200 77204->77201 77205->77213 77206 829b3a 77418 7f1fa0 fputc 77206->77418 77208 829bfa _CxxThrowException 77263 829be6 77208->77263 77210 829b63 fputs 77419 7f1fa0 fputc 77210->77419 77213->77206 77213->77208 77415 817dd7 7 API calls 2 library calls 77213->77415 77416 82c077 6 API calls 77213->77416 77417 7f1e40 free 77213->77417 77214 829b79 strlen strlen 77216 829e25 77214->77216 77217 829baa fputs fputc 77214->77217 77427 7f1fa0 fputc 77216->77427 77217->77263 77219 829e2c fputs 77428 7f1fa0 fputc 77219->77428 77221 829f0c 77433 7f1fa0 fputc 77221->77433 77224 829f13 fputs 77434 7f1fa0 fputc 77224->77434 77226 82b67d 12 API calls 77226->77263 77228 829f9f 77231 7f2e04 2 API calls 77231->77263 77240 7f31e5 malloc _CxxThrowException free _CxxThrowException 77240->77263 77244 829f29 77244->77228 77256 829f77 fputs 77244->77256 77435 82b650 fputc fputs fputs fputc 77244->77435 77436 82b5e9 fputc fputs 77244->77436 77437 82bde4 fputc fputs 77244->77437 77245 829d2a fputs 77424 7f21d8 fputs 77245->77424 77250 829d5f fputs 77250->77263 77254 829e42 77254->77221 77261 829ee0 fputs 77254->77261 77429 82b650 fputc fputs fputs fputc 77254->77429 77430 7f21d8 fputs 77254->77430 77431 82bde4 fputc fputs 77254->77431 77432 7f1fa0 fputc 77261->77432 77263->77216 77263->77217 77263->77226 77263->77231 77263->77240 77263->77245 77263->77250 77420 7f21d8 fputs 77263->77420 77421 7f315e malloc _CxxThrowException free _CxxThrowException 77263->77421 77422 7f3221 malloc _CxxThrowException free _CxxThrowException 77263->77422 77423 7f1089 malloc _CxxThrowException free _CxxThrowException 77263->77423 77425 7f1fa0 fputc 77263->77425 77426 7f1e40 free 77263->77426 77269 82994a 77268->77269 77270 82b5bc fputs 77268->77270 77269->77187 77269->77188 77446 7f1fa0 fputc 77270->77446 77272 82b5d5 77272->77269 77273 82b5d9 fputs 77272->77273 77273->77269 77275 801f6c 77274->77275 77276 801f4f 77274->77276 77447 8029eb 77275->77447 77479 811d73 5 API calls __EH_prolog 77276->77479 77280 801f5e _CxxThrowException 77280->77275 77281 801fa3 77283 801fbc 77281->77283 77285 7f4fc0 5 API calls 77281->77285 77286 801fda 77283->77286 77287 7f2fec 3 API calls 77283->77287 77284 801f95 _CxxThrowException 77284->77281 77285->77283 77288 802022 wcscmp 77286->77288 77297 802036 77286->77297 77287->77286 77289 8020af 77288->77289 77288->77297 77481 811d73 5 API calls __EH_prolog 77289->77481 77291 8020a9 77482 80393c 6 API calls 2 library calls 77291->77482 77292 8020be _CxxThrowException 77292->77297 77294 8020f4 77483 80393c 6 API calls 2 library calls 77294->77483 77296 802108 77298 802135 77296->77298 77484 802e04 62 API calls 2 library calls 77296->77484 77297->77291 77300 80219a 77297->77300 77307 802159 77298->77307 77485 802e04 62 API calls 2 library calls 77298->77485 77486 811d73 5 API calls __EH_prolog 77300->77486 77303 8021a9 _CxxThrowException 77303->77307 77304 80227f 77452 802aa9 77304->77452 77306 802245 77309 7f2fec 3 API calls 77306->77309 77307->77304 77307->77306 77487 811d73 5 API calls __EH_prolog 77307->77487 77312 80225c 77309->77312 77311 802237 _CxxThrowException 77311->77306 77312->77304 77488 811d73 5 API calls __EH_prolog 77312->77488 77313 8022d9 77315 802302 77313->77315 77318 7f2fec 3 API calls 77313->77318 77314 7f2fec 3 API calls 77314->77313 77316 7f4fc0 5 API calls 77315->77316 77319 802315 77316->77319 77318->77315 77470 80384c 77319->77470 77320 802271 _CxxThrowException 77320->77304 77322 802322 77324 8023a1 77322->77324 77327 8026c6 77322->77327 77323 8028ce 77325 80293a 77323->77325 77332 8028d5 77323->77332 77340 80247a wcscmp 77324->77340 77356 80248e 77324->77356 77330 8029a5 77325->77330 77331 80293f 77325->77331 77326 802700 77502 8032ec 14 API calls 2 library calls 77326->77502 77327->77323 77327->77326 77501 811d73 5 API calls __EH_prolog 77327->77501 77334 8029ae _CxxThrowException 77330->77334 77390 80264d 77330->77390 77509 7f4eec 16 API calls 77331->77509 77332->77390 77508 811d73 5 API calls __EH_prolog 77332->77508 77333 8026f2 _CxxThrowException 77333->77326 77335 802713 77338 803a29 5 API calls 77335->77338 77350 802722 77338->77350 77339 80294c 77510 7f4ea1 8 API calls 77339->77510 77341 8024cf wcscmp 77340->77341 77340->77356 77345 8024ef wcscmp 77341->77345 77341->77356 77349 80250f 77345->77349 77345->77356 77346 802953 77347 7f4fc0 5 API calls 77346->77347 77347->77390 77348 802920 _CxxThrowException 77348->77390 77492 811d73 5 API calls __EH_prolog 77349->77492 77353 8027cf 77350->77353 77355 7f2fec 3 API calls 77350->77355 77352 80251e _CxxThrowException 77354 80252c 77352->77354 77357 802880 77353->77357 77361 80281f 77353->77361 77504 811d73 5 API calls __EH_prolog 77353->77504 77358 802569 77354->77358 77493 802e04 62 API calls 2 library calls 77354->77493 77359 8027a9 77355->77359 77356->77354 77489 7f4eec 16 API calls 77356->77489 77490 7f4ea1 8 API calls 77356->77490 77491 811d73 5 API calls __EH_prolog 77356->77491 77362 80289b 77357->77362 77365 7f2fec 3 API calls 77357->77365 77364 80258c 77358->77364 77494 802e04 62 API calls 2 library calls 77358->77494 77359->77353 77503 7f3563 memmove 77359->77503 77361->77357 77368 802847 77361->77368 77505 811d73 5 API calls __EH_prolog 77361->77505 77362->77390 77507 811d73 5 API calls __EH_prolog 77362->77507 77370 8025a4 77364->77370 77495 802a61 malloc _CxxThrowException free _CxxThrowException memcpy 77364->77495 77365->77362 77366 8024c1 _CxxThrowException 77366->77341 77368->77357 77506 811d73 5 API calls __EH_prolog 77368->77506 77496 7f4eec 16 API calls 77370->77496 77371 802811 _CxxThrowException 77371->77361 77377 8028c0 _CxxThrowException 77377->77323 77378 802839 _CxxThrowException 77378->77368 77380 8025ad 77497 811b07 49 API calls 77380->77497 77381 802872 _CxxThrowException 77381->77357 77383 8025b4 77498 7f4ea1 8 API calls 77383->77498 77385 8025bb 77386 7f2fec 3 API calls 77385->77386 77388 8025d6 77385->77388 77386->77388 77387 80261f 77387->77390 77391 7f2fec 3 API calls 77387->77391 77388->77387 77388->77390 77499 811d73 5 API calls __EH_prolog 77388->77499 77390->77190 77392 80263f 77391->77392 77500 7f859e malloc _CxxThrowException free _CxxThrowException 77392->77500 77393 802611 _CxxThrowException 77393->77387 77396 817b52 __EH_prolog 77395->77396 77520 817eec 77396->77520 77399 7f30ea malloc _CxxThrowException free 77406 817b63 77399->77406 77400 7f2e04 malloc _CxxThrowException 77400->77406 77402 7f1e40 free ctype 77402->77406 77404 8012a5 5 API calls 77404->77406 77405 8304d2 5 API calls 77405->77406 77406->77399 77406->77400 77406->77402 77406->77404 77406->77405 77407 7f429a 3 API calls 77406->77407 77409 817c61 memcpy 77406->77409 77410 817193 free 77406->77410 77411 817ca4 77406->77411 77525 8170ea 77406->77525 77528 817a40 77406->77528 77546 817cc3 6 API calls 77406->77546 77547 8174eb malloc _CxxThrowException memcpy __EH_prolog ctype 77406->77547 77407->77406 77409->77406 77410->77406 77411->77196 77412->77198 77413->77204 77414->77203 77415->77213 77416->77213 77417->77213 77418->77210 77419->77214 77420->77263 77421->77263 77422->77263 77423->77263 77424->77263 77425->77263 77426->77263 77427->77219 77428->77254 77429->77254 77430->77254 77431->77254 77432->77254 77433->77224 77434->77244 77435->77244 77436->77244 77437->77244 77446->77272 77448 7f2f1c 2 API calls 77447->77448 77449 8029fe 77448->77449 77511 7f1e40 free 77449->77511 77451 801f7e 77451->77281 77480 811d73 5 API calls __EH_prolog 77451->77480 77453 802ab3 __EH_prolog 77452->77453 77454 7f2e8a 2 API calls 77453->77454 77464 802b0f 77453->77464 77455 802af4 77454->77455 77512 802a61 malloc _CxxThrowException free _CxxThrowException memcpy 77455->77512 77456 8022ad 77456->77313 77456->77314 77458 802bc6 77518 811d73 5 API calls __EH_prolog 77458->77518 77459 802b04 77513 7f1e40 free 77459->77513 77462 802bd6 _CxxThrowException 77462->77456 77464->77456 77464->77458 77467 802b9f 77464->77467 77514 802cb4 48 API calls 2 library calls 77464->77514 77515 802bf5 8 API calls __EH_prolog 77464->77515 77516 802a61 malloc _CxxThrowException free _CxxThrowException memcpy 77464->77516 77467->77456 77517 811d73 5 API calls __EH_prolog 77467->77517 77469 802bb8 _CxxThrowException 77469->77458 77477 803856 __EH_prolog 77470->77477 77471 803917 77471->77322 77472 7f2e04 malloc _CxxThrowException 77472->77477 77473 7f2fec 3 API calls 77473->77477 77474 8304d2 5 API calls 77474->77477 77475 7f2f88 3 API calls 77475->77477 77477->77471 77477->77472 77477->77473 77477->77474 77477->77475 77478 7f1e40 free ctype 77477->77478 77519 803b76 malloc _CxxThrowException __EH_prolog ctype 77477->77519 77478->77477 77479->77280 77480->77284 77481->77292 77482->77294 77483->77296 77484->77298 77485->77307 77486->77303 77487->77311 77488->77320 77489->77356 77490->77356 77491->77366 77492->77352 77493->77358 77494->77364 77495->77370 77496->77380 77497->77383 77498->77385 77499->77393 77500->77390 77501->77333 77502->77335 77503->77353 77504->77371 77505->77378 77506->77381 77507->77377 77508->77348 77509->77339 77510->77346 77511->77451 77512->77459 77513->77464 77514->77464 77515->77464 77516->77464 77517->77469 77518->77462 77519->77477 77521 817f14 77520->77521 77522 817ef7 77520->77522 77521->77406 77522->77521 77523 817193 free 77522->77523 77548 7f1e40 free 77522->77548 77523->77522 77526 7f2e04 2 API calls 77525->77526 77527 817103 77526->77527 77527->77406 77529 817a4a __EH_prolog 77528->77529 77549 7f361b 6 API calls 2 library calls 77529->77549 77531 817a78 77550 7f361b 6 API calls 2 library calls 77531->77550 77533 817b20 77552 822db9 free ctype 77533->77552 77535 7f2e04 malloc _CxxThrowException 77537 817a83 77535->77537 77536 817b2b 77553 822db9 free ctype 77536->77553 77537->77533 77537->77535 77540 7f2fec 3 API calls 77537->77540 77541 7f2fec 3 API calls 77537->77541 77542 8304d2 5 API calls 77537->77542 77545 7f1e40 free ctype 77537->77545 77551 817955 malloc _CxxThrowException __EH_prolog ctype 77537->77551 77539 817b37 77539->77406 77540->77537 77543 817aca wcscmp 77541->77543 77542->77537 77543->77537 77545->77537 77546->77406 77547->77406 77548->77522 77549->77531 77550->77537 77551->77537 77552->77536 77553->77539

                              Executed Functions

                              Function 007F9313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1028 7f9313-7f9338 GetCurrentProcess OpenProcessToken 1029 7f933a-7f934a LookupPrivilegeValueW 1028->1029 1030 7f9390 1028->1030 1032 7f934c-7f9370 AdjustTokenPrivileges 1029->1032 1033 7f9382 1029->1033 1031 7f9393-7f9398 1030->1031 1032->1033 1034 7f9372-7f9380 GetLastError 1032->1034 1035 7f9385-7f938e CloseHandle 1033->1035 1034->1035 1035->1031
                              APIs
                              • GetCurrentProcess.KERNEL32(00000020,00801EC5,?,7597AB50,?,?,?,?,00801EC5,00801CEF), ref: 007F9329
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00801EC5,00801CEF), ref: 007F9330
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 007F9342
                              • AdjustTokenPrivileges.KERNELBASE(00801EC5,00000000,?,00000000,00000000,00000000), ref: 007F9368
                              • GetLastError.KERNEL32 ref: 007F9372
                              • CloseHandle.KERNELBASE(00801EC5,?,?,?,?,00801EC5,00801CEF), ref: 007F9388
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeRestorePrivilege
                              • API String ID: 3398352648-1684392131
                              • Opcode ID: e932a800a1b0535448b1af52559e046a45581710416a92992dbcb6f954487ca4
                              • Instruction ID: 4d642cc703d83d916a49b217e11677eab33050cc58aaf0996c2a3ccdfa8081ad
                              • Opcode Fuzzy Hash: e932a800a1b0535448b1af52559e046a45581710416a92992dbcb6f954487ca4
                              • Instruction Fuzzy Hash: 70018076A45218EBCB10ABF19C49BEEBF7CBF05340F080165E642E2290D6768608DBA0
                              Function 00803D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1036 803d66-803d9c call 88fb10 GetCurrentProcess call 803e04 OpenProcessToken 1041 803de3-803dfe call 803e04 1036->1041 1042 803d9e-803dbe LookupPrivilegeValueW 1036->1042 1042->1041 1043 803dc0-803dd3 AdjustTokenPrivileges 1042->1043 1043->1041 1045 803dd5-803de1 GetLastError 1043->1045 1045->1041
                              APIs
                              • __EH_prolog.LIBCMT ref: 00803D6B
                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803D7D
                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803D94
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00803DB6
                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803DCB
                              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803DD5
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeSecurityPrivilege
                              • API String ID: 3475889169-2333288578
                              • Opcode ID: c8d2811e811c498b1dd8f4c340430d7bdc8068690e930e63e542f4d8ccca03a2
                              • Instruction ID: 8200fb11edd6682d1cacdf111d39fbac74822bed5960f7ea0b5f013b7d17926e
                              • Opcode Fuzzy Hash: c8d2811e811c498b1dd8f4c340430d7bdc8068690e930e63e542f4d8ccca03a2
                              • Instruction Fuzzy Hash: 64113CB1A40219EFDB10FFA5CC85AFEBBBCFB04344F44062AE512E2191D7358A08CB60
                              Function 008381EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 008381F1
                                • Part of subcall function 0083F749: _CxxThrowException.MSVCRT(?,008A4A58), ref: 0083F792
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 461045715-3916222277
                              • Opcode ID: 2ad62e1a58e18ebb23be5e79862333f49f3c968dbdf51e8e3b30eafa7bc4a93b
                              • Instruction ID: ba480d31ef97a07bf298f438872dceeddb54098fe7b09419bdfe5e2613cbb4d7
                              • Opcode Fuzzy Hash: 2ad62e1a58e18ebb23be5e79862333f49f3c968dbdf51e8e3b30eafa7bc4a93b
                              • Instruction Fuzzy Hash: 4F925A30900259DFDB15DFA8C884BAEBBB1FF98304F244099F855EB291CB759E45CBA1
                              Function 007F6868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F686D
                                • Part of subcall function 007F6848: FindClose.KERNELBASE(00000000,?,007F6880), ref: 007F6853
                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 007F68A5
                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 007F68DE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: Find$FileFirst$CloseH_prolog
                              • String ID:
                              • API String ID: 3371352514-0
                              • Opcode ID: db0170a153280db519a47aee68647f4b1925c8ae3b3c18e31a13307b6fb82998
                              • Instruction ID: 589fe978fe00de0b2eca81d7b24e398aee2968bb10f67dea2faf2c59c8dd02e9
                              • Opcode Fuzzy Hash: db0170a153280db519a47aee68647f4b1925c8ae3b3c18e31a13307b6fb82998
                              • Instruction Fuzzy Hash: 2911907150020DEBCF10EFA4C8559FDB779EF50364F20462DEA6197292DB399E86DB40
                              Function 0082A013 Relevance: 56.7, APIs: 15, Strings: 17, Instructions: 690COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 82a013-82a01a 1 82a020-82a02d call 801ac8 0->1 2 82a37a-82a544 call 8304d2 call 7f1524 call 8304d2 call 7f1524 call 7f1e0c 0->2 7 82a033-82a03a 1->7 8 82a22e-82a235 1->8 64 82a551 2->64 65 82a546-82a54f call 82b0fa 2->65 10 82a054-82a089 call 8292d3 7->10 11 82a03c-82a042 7->11 13 82a367-82a375 call 82b55f 8->13 14 82a23b-82a24d call 82b4f6 8->14 28 82a08b-82a091 10->28 29 82a099 10->29 11->10 15 82a044-82a04f call 7f30ea 11->15 30 82ac23-82ac2a 13->30 25 82a259-82a2fb call 817ebb call 7f27bb call 7f26dd call 813d70 call 82ad99 call 7f27bb 14->25 26 82a24f-82a253 14->26 15->10 94 82a303-82a362 call 82b6ab call 822db9 call 7f1e40 * 2 call 82bff8 25->94 95 82a2fd 25->95 26->25 28->29 33 82a093-82a097 28->33 34 82a09d-82a0de call 7f2fec call 82b369 29->34 35 82ac3a-82ac66 call 82b96d call 7f1e40 call 813247 30->35 36 82ac2c-82ac33 30->36 33->34 55 82a0e0-82a0e4 34->55 56 82a0ea-82a0fa 34->56 69 82ac68-82ac6a 35->69 70 82ac6e-82acb5 call 7f1e40 call 7f11c2 call 82be0c call 822db9 35->70 36->35 41 82ac35 36->41 46 82ac35 call 82b988 41->46 46->35 55->56 60 82a0fc-82a102 56->60 61 82a10d 56->61 60->61 67 82a104-82a10b 60->67 68 82a114-82a19e call 7f2fec call 817ebb call 82ad99 61->68 66 82a553-82a55c 64->66 65->66 73 82a564-82a5c1 call 7f2fec call 82b277 66->73 74 82a55e-82a560 66->74 67->68 103 82a1a2 call 81f8e0 68->103 69->70 97 82a5c3-82a5c7 73->97 98 82a5cd-82a652 call 82ad06 call 82bf3e call 803a29 call 7f2e04 call 814345 73->98 74->73 94->30 95->94 97->98 136 82a676-82a6c8 call 812096 98->136 137 82a654-82a671 call 81375c call 82b96d 98->137 108 82a1a7-82a1b1 103->108 112 82a1b3-82a1bb call 82c7d7 108->112 113 82a1c0-82a1c9 108->113 112->113 114 82a1d1-82a229 call 82b6ab call 822db9 call 7f1e40 call 82bfa4 call 82940b 113->114 115 82a1cb 113->115 114->30 115->114 143 82a6cd-82a6d6 136->143 137->136 146 82a6e2-82a6e5 143->146 147 82a6d8-82a6dd call 82c7d7 143->147 150 82a6e7-82a6ee 146->150 151 82a72e-82a73a 146->151 147->146 154 82a722-82a725 150->154 155 82a6f0-82a71d call 7f1fa0 fputs call 7f1fa0 call 7f1fb3 call 7f1fa0 150->155 152 82a79e-82a7aa 151->152 153 82a73c-82a74a call 7f1fa0 151->153 157 82a7d9-82a7e5 152->157 158 82a7ac-82a7b2 152->158 170 82a755-82a799 fputs call 7f2201 call 7f1fa0 fputs call 7f2201 call 7f1fa0 153->170 171 82a74c-82a753 153->171 154->151 159 82a727 154->159 155->154 164 82a7e7-82a7ed 157->164 165 82a818-82a81a 157->165 158->157 162 82a7b4-82a7d4 fputs call 7f2201 call 7f1fa0 158->162 159->151 162->157 167 82a899-82a8a5 164->167 172 82a7f3-82a813 fputs call 7f2201 call 7f1fa0 164->172 165->167 168 82a81c-82a82b 165->168 173 82a8a7-82a8ad 167->173 174 82a8e9-82a8ed 167->174 176 82a851-82a85d 168->176 177 82a82d-82a84c fputs call 7f2201 call 7f1fa0 168->177 170->152 171->152 171->170 172->165 183 82a8ef 173->183 184 82a8af-82a8c2 call 7f1fa0 173->184 174->183 188 82a8f6-82a8f8 174->188 176->167 187 82a85f-82a872 call 7f1fa0 176->187 177->176 183->188 184->183 207 82a8c4-82a8e4 fputs call 7f2201 call 7f1fa0 184->207 187->167 209 82a874-82a894 fputs call 7f2201 call 7f1fa0 187->209 196 82a8fe-82a90a 188->196 197 82aaaf-82aaeb call 8143b3 call 7f1e40 call 82c104 call 82ad82 188->197 204 82aa73-82aa89 call 7f1fa0 196->204 205 82a910-82a91f 196->205 246 82aaf1-82aaf7 197->246 247 82ac0b-82ac1e call 822db9 * 2 197->247 204->197 222 82aa8b-82aaaa fputs call 7f2201 call 7f1fa0 204->222 205->204 211 82a925-82a929 205->211 207->174 209->167 211->197 217 82a92f-82a93d 211->217 218 82a96a-82a971 217->218 219 82a93f-82a964 fputs call 7f2201 call 7f1fa0 217->219 227 82a973-82a97a 218->227 228 82a98f-82a9a8 fputs call 7f2201 218->228 219->218 222->197 227->228 234 82a97c-82a982 227->234 241 82a9ad-82a9bd call 7f1fa0 228->241 234->228 239 82a984-82a98d 234->239 239->228 244 82aa06-82aa1f fputs call 7f2201 239->244 241->244 252 82a9bf-82aa01 fputs call 7f2201 call 7f1fa0 fputs call 7f2201 call 7f1fa0 241->252 251 82aa24-82aa29 call 7f1fa0 244->251 246->247 247->30 259 82aa2e-82aa4b fputs call 7f2201 251->259 252->244 263 82aa50-82aa5b call 7f1fa0 259->263 263->197 269 82aa5d-82aa71 call 7f1fa0 call 82710e 263->269 269->197
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrow
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $N
                              • API String ID: 3665150552-429544124
                              • Opcode ID: e88d5dc690a5f907707cb4f788ab7fec1261f4f0d2501432f1aec11577cca020
                              • Instruction ID: 04220beed92800889a3ea14a330d49bf731a532f5825914986ebeaa85a3d5a9b
                              • Opcode Fuzzy Hash: e88d5dc690a5f907707cb4f788ab7fec1261f4f0d2501432f1aec11577cca020
                              • Instruction Fuzzy Hash: 2C528D30905269DFDF2ADBA4D885BEDBBB5FF44300F14409AE549A3291DB356E84CF12
                              Function 0082A42C Relevance: 56.5, APIs: 15, Strings: 17, Instructions: 503COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 274 82a42c-82a433 275 82a435-82a444 fputs call 7f1fa0 274->275 276 82a449-82a4df call 82545d call 7f2e04 call 811858 call 7f1e40 274->276 275->276 286 82a4e1-82a4e9 call 82c7d7 276->286 287 82a4ee-82a4f1 276->287 286->287 289 82a4f3-82a4fa 287->289 290 82a50e-82a520 call 82c73e 287->290 289->290 291 82a4fc-82a509 call 8257fb 289->291 295 82a526-82a544 call 7f1e0c 290->295 296 82ac0b-82ac2a call 822db9 * 2 290->296 291->290 304 82a551 295->304 305 82a546-82a54f call 82b0fa 295->305 307 82ac3a-82ac66 call 82b96d call 7f1e40 call 813247 296->307 308 82ac2c-82ac33 296->308 306 82a553-82a55c 304->306 305->306 311 82a564-82a5c1 call 7f2fec call 82b277 306->311 312 82a55e-82a560 306->312 327 82ac68-82ac6a 307->327 328 82ac6e-82acb5 call 7f1e40 call 7f11c2 call 82be0c call 822db9 307->328 308->307 313 82ac35 call 82b988 308->313 325 82a5c3-82a5c7 311->325 326 82a5cd-82a652 call 82ad06 call 82bf3e call 803a29 call 7f2e04 call 814345 311->326 312->311 313->307 325->326 348 82a676-82a6d6 call 812096 326->348 349 82a654-82a671 call 81375c call 82b96d 326->349 327->328 355 82a6e2-82a6e5 348->355 356 82a6d8-82a6dd call 82c7d7 348->356 349->348 358 82a6e7-82a6ee 355->358 359 82a72e-82a73a 355->359 356->355 362 82a722-82a725 358->362 363 82a6f0-82a71d call 7f1fa0 fputs call 7f1fa0 call 7f1fb3 call 7f1fa0 358->363 360 82a79e-82a7aa 359->360 361 82a73c-82a74a call 7f1fa0 359->361 365 82a7d9-82a7e5 360->365 366 82a7ac-82a7b2 360->366 378 82a755-82a799 fputs call 7f2201 call 7f1fa0 fputs call 7f2201 call 7f1fa0 361->378 379 82a74c-82a753 361->379 362->359 367 82a727 362->367 363->362 372 82a7e7-82a7ed 365->372 373 82a818-82a81a 365->373 366->365 370 82a7b4-82a7d4 fputs call 7f2201 call 7f1fa0 366->370 367->359 370->365 375 82a899-82a8a5 372->375 380 82a7f3-82a813 fputs call 7f2201 call 7f1fa0 372->380 373->375 376 82a81c-82a82b 373->376 381 82a8a7-82a8ad 375->381 382 82a8e9-82a8ed 375->382 384 82a851-82a85d 376->384 385 82a82d-82a84c fputs call 7f2201 call 7f1fa0 376->385 378->360 379->360 379->378 380->373 391 82a8ef 381->391 392 82a8af-82a8c2 call 7f1fa0 381->392 382->391 396 82a8f6-82a8f8 382->396 384->375 395 82a85f-82a872 call 7f1fa0 384->395 385->384 391->396 392->391 415 82a8c4-82a8e4 fputs call 7f2201 call 7f1fa0 392->415 395->375 417 82a874-82a894 fputs call 7f2201 call 7f1fa0 395->417 404 82a8fe-82a90a 396->404 405 82aaaf-82aaeb call 8143b3 call 7f1e40 call 82c104 call 82ad82 396->405 412 82aa73-82aa89 call 7f1fa0 404->412 413 82a910-82a91f 404->413 405->296 454 82aaf1-82aaf7 405->454 412->405 430 82aa8b-82aaaa fputs call 7f2201 call 7f1fa0 412->430 413->412 419 82a925-82a929 413->419 415->382 417->375 419->405 425 82a92f-82a93d 419->425 426 82a96a-82a971 425->426 427 82a93f-82a964 fputs call 7f2201 call 7f1fa0 425->427 435 82a973-82a97a 426->435 436 82a98f-82a9a8 fputs call 7f2201 426->436 427->426 430->405 435->436 442 82a97c-82a982 435->442 449 82a9ad-82a9bd call 7f1fa0 436->449 442->436 447 82a984-82a98d 442->447 447->436 452 82aa06-82aa4b fputs call 7f2201 call 7f1fa0 fputs call 7f2201 447->452 449->452 458 82a9bf-82aa01 fputs call 7f2201 call 7f1fa0 fputs call 7f2201 call 7f1fa0 449->458 467 82aa50-82aa5b call 7f1fa0 452->467 454->296 458->452 467->405 473 82aa5d-82aa71 call 7f1fa0 call 82710e 467->473 473->405
                              APIs
                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 0082A43E
                                • Part of subcall function 007F1FA0: fputc.MSVCRT ref: 007F1FA7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $!"$N
                              • API String ID: 269475090-3104439828
                              • Opcode ID: 8aa64281546123ce8ba5b0eef595d7c922d6803b746694f046001465abf38668
                              • Instruction ID: 6ae5f0b4256a203723e70b79f604788bda32388a74bc5e439e23717e0ac68d91
                              • Opcode Fuzzy Hash: 8aa64281546123ce8ba5b0eef595d7c922d6803b746694f046001465abf38668
                              • Instruction Fuzzy Hash: AC226D31901268DFDF2AEBA4D845BEDBBF5FF44300F10409AE559A3291DB756A84CF12
                              Function 0082993D Relevance: 44.3, APIs: 16, Strings: 9, Instructions: 569COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 478 82993d-829950 call 82b5b1 481 829952-82995e call 7f1fb3 478->481 482 829963-82997e call 801f33 478->482 481->482 486 829980-82998a 482->486 487 82998f-829998 482->487 486->487 488 82999a-8299a6 487->488 489 8299a8 487->489 488->489 490 8299ab-8299b5 488->490 489->490 491 8299b7-8299cc GetStdHandle GetConsoleScreenBufferInfo 490->491 492 8299d5-829a04 call 7f1e0c call 82acb6 490->492 491->492 493 8299ce-8299d2 491->493 500 829a06-829a08 492->500 501 829a0c-829a24 call 817b48 492->501 493->492 500->501 503 829a29-829a48 call 82b96d call 817018 call 801aa4 501->503 510 829a4a-829a4c 503->510 511 829a7c-829aa8 call 81ddb5 503->511 512 829a66-829a77 _CxxThrowException 510->512 513 829a4e-829a55 510->513 518 829ac0-829ade 511->518 519 829aaa-829abb _CxxThrowException 511->519 512->511 513->512 515 829a57-829a64 call 801ac8 513->515 515->511 515->512 521 829ae0-829b04 call 817dd7 518->521 522 829b3a-829b55 518->522 519->518 528 829bfa-829c0b _CxxThrowException 521->528 529 829b0a-829b0e 521->529 526 829b57 522->526 527 829b5c-829ba4 call 7f1fa0 fputs call 7f1fa0 strlen * 2 522->527 526->527 541 829e25-829e4d call 7f1fa0 fputs call 7f1fa0 527->541 542 829baa-829be4 fputs fputc 527->542 532 829c10 528->532 529->528 531 829b14-829b38 call 82c077 call 7f1e40 529->531 531->521 531->522 535 829c12-829c25 532->535 543 829be6-829bf0 535->543 544 829c27-829c33 535->544 554 829e53 541->554 555 829f0c-829f34 call 7f1fa0 fputs call 7f1fa0 541->555 542->543 542->544 543->532 547 829bf2-829bf8 543->547 552 829c81-829cb1 call 82b67d call 7f2e04 544->552 553 829c35-829c3d 544->553 547->535 595 829cb3-829cb7 552->595 596 829d10-829d28 call 82b67d 552->596 556 829c6b-829c80 call 7f21d8 553->556 557 829c3f-829c4a 553->557 559 829e5a-829e6f call 82b650 554->559 577 82ac23-82ac2a 555->577 578 829f3a 555->578 556->552 561 829c54 557->561 562 829c4c-829c52 557->562 575 829e71-829e79 559->575 576 829e7b-829e7e call 7f21d8 559->576 568 829c56-829c69 561->568 562->568 568->556 568->557 586 829e83-829f06 call 82bde4 fputs call 7f1fa0 575->586 576->586 582 82ac3a-82ac66 call 82b96d call 7f1e40 call 813247 577->582 583 82ac2c-82ac33 577->583 581 829f41-829f9d call 82b650 call 82b5e9 call 82bde4 fputs call 7f1fa0 578->581 657 829f9f 581->657 619 82ac68-82ac6a 582->619 620 82ac6e-82acb5 call 7f1e40 call 7f11c2 call 82be0c call 822db9 582->620 583->582 589 82ac35 call 82b988 583->589 586->555 586->559 589->582 597 829cc1-829cdd call 7f31e5 595->597 598 829cb9-829cbc call 7f315e 595->598 616 829d2a-829d4a fputs call 7f21d8 596->616 617 829d4b-829d53 596->617 611 829d05-829d0e 597->611 612 829cdf-829d00 call 7f3221 call 7f31e5 call 7f1089 597->612 598->597 611->595 611->596 612->611 616->617 623 829d59-829d5d 617->623 624 829dff-829e1f call 7f1fa0 call 7f1e40 617->624 619->620 630 829d6e-829d82 623->630 631 829d5f-829d6d fputs 623->631 624->541 624->542 638 829df0-829df9 630->638 639 829d84-829d88 630->639 631->630 638->623 638->624 645 829d95-829d9f 639->645 646 829d8a-829d94 639->646 654 829da1-829da3 645->654 655 829da5-829db1 645->655 646->645 654->655 656 829dd8-829dee 654->656 658 829db3-829db6 655->658 659 829db8 655->659 656->638 656->639 657->577 663 829dbb-829dce 658->663 659->663 670 829dd0-829dd3 663->670 671 829dd5 663->671 670->656 671->656
                              APIs
                                • Part of subcall function 0082B5B1: fputs.MSVCRT ref: 0082B5CA
                                • Part of subcall function 0082B5B1: fputs.MSVCRT ref: 0082B5E1
                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 008299BD
                              • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 008299C4
                              • _CxxThrowException.MSVCRT(?,008A55B8), ref: 00829A77
                              • _CxxThrowException.MSVCRT(?,008A55B8), ref: 00829ABB
                                • Part of subcall function 007F1FB3: __EH_prolog.LIBCMT ref: 007F1FB8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                              • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$N
                              • API String ID: 377453556-3661318601
                              • Opcode ID: 642c98f19c894f8527c3ae8dff8db9044f83f37dcaa917f2239b1c34697a9661
                              • Instruction ID: 967addeb68b33e3e283a8593649ed476042f9e386f9420554aab4aef929d2e55
                              • Opcode Fuzzy Hash: 642c98f19c894f8527c3ae8dff8db9044f83f37dcaa917f2239b1c34697a9661
                              • Instruction Fuzzy Hash: 32228D71900218DFDF15EFA8E885BADBBB1FF48310F60005AE545E7292CB359A85CF65
                              Function 00801ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 672 801ade-801b14 call 88fb10 call 7f13f5 677 801b32-801b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->677 678 801b16-801b2d call 811d73 _CxxThrowException 672->678 680 801b9d-801b9f 677->680 681 801b8d-801b91 677->681 678->677 684 801ba0-801bcd 680->684 681->680 683 801b93-801b97 681->683 683->680 687 801b99-801b9b 683->687 685 801bf9-801c12 684->685 686 801bcf-801bf8 call 801ea4 call 7f27bb call 7f1e40 684->686 689 801c20 685->689 690 801c14-801c18 685->690 686->685 687->684 693 801c27-801c2b 689->693 690->689 692 801c1a-801c1e 690->692 692->689 692->693 695 801c34-801c3e 693->695 696 801c2d 693->696 698 801c40-801c43 695->698 699 801c49-801c53 695->699 696->695 698->699 700 801c55-801c58 699->700 701 801c5e-801c68 699->701 700->701 703 801c73-801c79 701->703 704 801c6a-801c6d 701->704 706 801cc9-801cd2 703->706 707 801c7b-801c87 703->707 704->703 710 801cd4-801ce6 706->710 711 801cea call 801eb9 706->711 708 801c95-801ca1 call 801ed1 707->708 709 801c89-801c93 707->709 718 801cc0-801cc3 708->718 719 801ca3-801cbb call 811d73 _CxxThrowException 708->719 709->706 710->711 714 801cef-801cf8 711->714 716 801d37-801d40 714->716 717 801cfa-801d0a 714->717 723 801e93-801ea1 716->723 724 801d46-801d52 716->724 720 801d10 717->720 721 801dc2-801dd4 wcscmp 717->721 718->706 719->718 725 801d17-801d1f call 7f9399 720->725 721->725 727 801dda-801de6 call 801ed1 721->727 724->723 728 801d58-801d93 call 7f26dd call 7f280c call 7f3221 call 7f3bbf 724->728 725->716 737 801d21-801d32 call 876a60 call 7f9313 725->737 727->725 735 801dec-801e04 call 811d73 _CxxThrowException 727->735 756 801d95-801d9c 728->756 757 801d9f-801da3 728->757 744 801e09-801e0c 735->744 737->716 747 801e31-801e4a call 801f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 801e0e 744->748 761 801e83-801e92 call 7f3172 call 7f1e40 747->761 762 801e4c-801e82 GetLastError call 7f3221 call 7f58a9 call 7f31e5 call 7f1e40 747->762 751 801e10-801e12 748->751 752 801e14-801e2c call 811d73 _CxxThrowException 748->752 751->747 751->752 752->747 756->757 757->744 760 801da5-801dbd call 811d73 _CxxThrowException 757->760 760->721 761->723 762->761
                              APIs
                              • __EH_prolog.LIBCMT ref: 00801AE3
                                • Part of subcall function 007F13F5: __EH_prolog.LIBCMT ref: 007F13FA
                              • _CxxThrowException.MSVCRT(?,008A6010), ref: 00801B2D
                              • _fileno.MSVCRT ref: 00801B3E
                              • _isatty.MSVCRT ref: 00801B47
                              • _fileno.MSVCRT ref: 00801B5D
                              • _isatty.MSVCRT ref: 00801B60
                              • _fileno.MSVCRT ref: 00801B73
                              • _CxxThrowException.MSVCRT(?,008A6010), ref: 00801CBB
                              • _CxxThrowException.MSVCRT(?,008A6010), ref: 00801DBD
                              • wcscmp.MSVCRT ref: 00801DCA
                              • _CxxThrowException.MSVCRT(?,008A6010), ref: 00801E04
                              • _isatty.MSVCRT ref: 00801B76
                                • Part of subcall function 00811D73: __EH_prolog.LIBCMT ref: 00811D78
                              • _CxxThrowException.MSVCRT(?,008A6010), ref: 00801E2C
                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00801E3B
                              • SetProcessAffinityMask.KERNEL32(00000000), ref: 00801E42
                              • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00801E4C
                              Strings
                              • SeLockMemoryPrivilege, xrefs: 00801D28
                              • Unsupported switch postfix -bb, xrefs: 00801CA8
                              • Unsupported switch postfix for -slp, xrefs: 00801DF1
                              • Unsupported switch postfix -stm, xrefs: 00801DAA
                              • Set process affinity mask: , xrefs: 00801D74
                              • : ERROR : , xrefs: 00801E52
                              • unsupported value -stm, xrefs: 00801E19
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                              • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                              • API String ID: 1826148334-1115009270
                              • Opcode ID: f44c3cc8b7812ae52e3e4c8b7de138a3ceb34a1d13d367a436eea7a1f92d39e8
                              • Instruction ID: 47a42cc6ca1502460e15fdf2c938b0b177a41cb2f47f2b176ee9213bef18b228
                              • Opcode Fuzzy Hash: f44c3cc8b7812ae52e3e4c8b7de138a3ceb34a1d13d367a436eea7a1f92d39e8
                              • Instruction Fuzzy Hash: 02C1AF31900245DFEF11EFA8C88DBE9BBE5FF19324F088459E495E7292CB74A944CB21
                              Function 00828012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 777 828012-828032 call 88fb10 780 828285 777->780 781 828038-82806c fputs call 828341 777->781 782 828287-828295 780->782 785 8280c8-8280cd 781->785 786 82806e-828071 781->786 787 8280d6-8280df 785->787 788 8280cf-8280d4 785->788 789 828073-828089 fputs call 7f1fa0 786->789 790 82808b-82808d 786->790 791 8280e2-828110 call 828341 call 828622 787->791 788->791 789->785 793 828096-82809f 790->793 794 82808f-828094 790->794 805 828112-828119 call 82831f 791->805 806 82811e-82812f call 828565 791->806 795 8280a2-8280c7 call 7f2e47 call 8285c6 call 7f1e40 793->795 794->795 795->785 805->806 806->782 812 828135-82813f 806->812 813 828141-828148 call 8282bb 812->813 814 82814d-82815b 812->814 813->814 814->782 817 828161-828164 814->817 818 8281b6-8281c0 817->818 819 828166-828186 817->819 820 828276-82827f 818->820 821 8281c6-8281e1 fputs 818->821 824 828298-82829d 819->824 825 82818c-828196 call 828565 819->825 820->780 820->781 821->820 826 8281e7-8281fb 821->826 827 8282b1-8282b9 SysFreeString 824->827 829 82819b-82819d 825->829 830 828273 826->830 831 8281fd-82821f 826->831 827->782 829->824 832 8281a3-8281b4 SysFreeString 829->832 830->820 834 828221-828245 831->834 835 82829f-8282a1 831->835 832->818 832->819 838 8282a3-8282ab call 7f965d 834->838 839 828247-828271 call 8284a7 call 7f965d SysFreeString 834->839 836 8282ae 835->836 836->827 838->836 839->830 839->831
                              APIs
                              • __EH_prolog.LIBCMT ref: 00828017
                              • fputs.MSVCRT ref: 0082804D
                                • Part of subcall function 00828341: __EH_prolog.LIBCMT ref: 00828346
                                • Part of subcall function 00828341: fputs.MSVCRT ref: 0082835B
                                • Part of subcall function 00828341: fputs.MSVCRT ref: 00828364
                              • fputs.MSVCRT ref: 0082807A
                                • Part of subcall function 007F1FA0: fputc.MSVCRT ref: 007F1FA7
                                • Part of subcall function 007F965D: VariantClear.OLEAUT32(?), ref: 007F967F
                              • SysFreeString.OLEAUT32(00000000), ref: 008281AA
                              • fputs.MSVCRT ref: 008281CD
                              • SysFreeString.OLEAUT32(00000000), ref: 00828267
                              • SysFreeString.OLEAUT32(00000000), ref: 008282B1
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2889736305-3797937567
                              • Opcode ID: eeab2173a17f46fc78661f00a42e188221a84246716fb483c00f11007a217996
                              • Instruction ID: 88c72d419a0bacc023e68482860ce89d820f33c5ffa5488ccd9eaa1c4d51c276
                              • Opcode Fuzzy Hash: eeab2173a17f46fc78661f00a42e188221a84246716fb483c00f11007a217996
                              • Instruction Fuzzy Hash: 5E917C31A01619EFCF14EFA4DD85AAEB7B5FF48310F244129E512E7291DB70AD85CB60
                              Function 00826766 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 135COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 846 826766-826792 call 88fb10 EnterCriticalSection 849 826794-826799 call 82c7d7 846->849 850 8267af-8267b7 846->850 854 82679e-8267ac 849->854 852 8267b9 call 7f1f91 850->852 853 8267be-8267c3 850->853 852->853 856 826892-8268a8 853->856 857 8267c9-8267d5 853->857 854->850 860 826941 856->860 861 8268ae-8268b4 856->861 858 826817-82682f 857->858 859 8267d7-8267dd 857->859 863 826873-82687b 858->863 864 826831-826842 call 7f1fa0 858->864 859->858 866 8267df-8267eb 859->866 865 826943-82695a 860->865 861->860 862 8268ba-8268c2 861->862 867 826933-82693f call 82c5cd 862->867 868 8268c4-8268e6 call 7f1fa0 fputs 862->868 863->867 870 826881-826887 863->870 864->863 882 826844-82686c fputs call 7f2201 864->882 871 8267f3-826801 866->871 872 8267ed 866->872 867->865 884 8268fb-826917 call 804f2a call 7f1fb3 call 7f1e40 868->884 885 8268e8-8268f9 fputs 868->885 870->867 878 82688d 870->878 871->863 874 826803-826815 fputs 871->874 872->871 880 82686e call 7f1fa0 874->880 883 82692e call 7f1f91 878->883 880->863 882->880 883->867 889 82691c-826928 call 7f1fa0 884->889 885->889 889->883
                              APIs
                              • __EH_prolog.LIBCMT ref: 0082676B
                              • EnterCriticalSection.KERNEL32(008B2938), ref: 00826781
                              • fputs.MSVCRT ref: 0082680B
                              • LeaveCriticalSection.KERNEL32(008B2938), ref: 00826944
                                • Part of subcall function 0082C7D7: fputs.MSVCRT ref: 0082C840
                              • fputs.MSVCRT ref: 00826851
                                • Part of subcall function 007F2201: fputs.MSVCRT ref: 007F221E
                              • fputs.MSVCRT ref: 008268D9
                              • fputs.MSVCRT ref: 008268F6
                                • Part of subcall function 007F1FA0: fputc.MSVCRT ref: 007F1FA7
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                              • String ID: v$Sub items Errors:
                              • API String ID: 2670240366-2468115448
                              • Opcode ID: 9ad933358d69e736611c640779754634b57ba6c36cde6a4b562da81106da38bf
                              • Instruction ID: 79d76bf4e797b9c1870d8efdca227b8da8dca04e5c25b10ba78c862db7f1411e
                              • Opcode Fuzzy Hash: 9ad933358d69e736611c640779754634b57ba6c36cde6a4b562da81106da38bf
                              • Instruction Fuzzy Hash: 0251A031501604DFCB25AF74E894AEABBE2FF84310F54442EE29AC7261EB357CA4CB50
                              Function 00826359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 826359-826373 call 88fb10 901 826375-826385 call 82c7d7 898->901 902 82639e-8263af call 825a4d 898->902 901->902 907 826387-82639b 901->907 908 8263b5-8263cd 902->908 909 8265ee-8265f1 902->909 907->902 912 8263d2-8263d4 908->912 913 8263cf 908->913 910 8265f3-8265fb 909->910 911 826624-82663c 909->911 914 826601-826607 call 828012 910->914 915 8266ea call 82c5cd 910->915 916 826643-82664b 911->916 917 82663e call 7f1f91 911->917 918 8263d6-8263d9 912->918 919 8263df-8263e7 912->919 913->912 928 82660c-82660e 914->928 927 8266ef-8266fd 915->927 916->915 924 826651-82668f fputs call 7f211a call 7f1fa0 call 828685 916->924 917->916 918->919 923 8264b1-8264bc call 826700 918->923 925 826411-826413 919->925 926 8263e9-8263f2 call 7f1fa0 919->926 945 8264c7-8264cf 923->945 946 8264be-8264c1 923->946 924->927 981 826691-826697 924->981 929 826442-826446 925->929 930 826415-82641d 925->930 926->925 950 8263f4-82640c call 7f210c call 7f1fa0 926->950 928->927 934 826614-82661f call 7f1fa0 928->934 938 826497-82649f 929->938 939 826448-826450 929->939 935 82642a-82643b 930->935 936 82641f-826425 call 826134 930->936 934->915 935->929 936->935 938->923 942 8264a1-8264ac call 7f1fa0 call 7f1f91 938->942 947 826452-82647a fputs call 7f1fa0 call 7f1fb3 call 7f1fa0 939->947 948 82647f-826490 939->948 942->923 956 8264d1-8264da call 7f1fa0 945->956 957 8264f9-8264fb 945->957 946->945 955 8265a2-8265a6 946->955 947->948 948->938 950->925 964 8265da-8265e6 955->964 965 8265a8-8265b6 955->965 956->957 986 8264dc-8264f4 call 7f210c call 7f1fa0 956->986 961 82652a-82652e 957->961 962 8264fd-826505 957->962 973 826530-826538 961->973 974 82657f-826587 961->974 970 826512-826523 962->970 971 826507-82650d call 826134 962->971 964->908 979 8265ec 964->979 975 8265d3 965->975 976 8265b8-8265ca call 826244 965->976 970->961 971->970 983 826567-826578 973->983 984 82653a-826562 fputs call 7f1fa0 call 7f1fb3 call 7f1fa0 973->984 974->955 980 826589-826595 call 7f1fa0 974->980 975->964 976->975 1000 8265cc-8265ce call 7f1f91 976->1000 979->909 980->955 1003 826597-82659d call 7f1f91 980->1003 989 826699-82669f 981->989 990 8266df-8266e5 call 7f1f91 981->990 983->974 984->983 986->957 997 8266b3-8266ce call 804f2a call 7f1fb3 call 7f1e40 989->997 998 8266a1-8266b1 fputs 989->998 990->915 1004 8266d3-8266da call 7f1fa0 997->1004 998->1004 1000->975 1003->955 1004->990
                              APIs
                              • __EH_prolog.LIBCMT ref: 0082635E
                              • fputs.MSVCRT ref: 0082645F
                                • Part of subcall function 0082C7D7: fputs.MSVCRT ref: 0082C840
                              • fputs.MSVCRT ref: 00826547
                              • fputs.MSVCRT ref: 0082665F
                              • fputs.MSVCRT ref: 008266AE
                                • Part of subcall function 007F1F91: fflush.MSVCRT ref: 007F1F93
                                • Part of subcall function 007F1FB3: __EH_prolog.LIBCMT ref: 007F1FB8
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fflushfree
                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                              • API String ID: 1750297421-1898165966
                              • Opcode ID: 1085da4db8e45f8f080ca2986729646f4ec84749866f87d56bf4616c5d85ea12
                              • Instruction ID: 423c703b268b8c3d538c08fc525793783d17cd8bd6b15fc115572d5a5cfb4259
                              • Opcode Fuzzy Hash: 1085da4db8e45f8f080ca2986729646f4ec84749866f87d56bf4616c5d85ea12
                              • Instruction Fuzzy Hash: 92B1BB30A02715CFDB24EF64E9A5BAAB3E1FF44304F44442DE69A87292DB34AC94CF51
                              Function 007F9C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1016 7f9c8f-7f9cc2 GetModuleHandleA GetProcAddress 1017 7f9cef-7f9d06 GlobalMemoryStatus 1016->1017 1018 7f9cc4-7f9ccc GlobalMemoryStatusEx 1016->1018 1020 7f9d0b-7f9d0d 1017->1020 1021 7f9d08 1017->1021 1018->1017 1019 7f9cce-7f9cd7 1018->1019 1022 7f9cd9 1019->1022 1023 7f9ce5 1019->1023 1024 7f9d11-7f9d15 1020->1024 1021->1020 1025 7f9cdb-7f9cde 1022->1025 1026 7f9ce0-7f9ce3 1022->1026 1027 7f9ce8-7f9ced 1023->1027 1025->1023 1025->1026 1026->1027 1027->1024
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 007F9CB3
                              • GetProcAddress.KERNEL32(00000000), ref: 007F9CBA
                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 007F9CC8
                              • GlobalMemoryStatus.KERNEL32(?), ref: 007F9CFA
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                              • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                              • API String ID: 180289352-802862622
                              • Opcode ID: 311d0fe33e82d4e3593e0d298c48c77ce8c523921bf1ac90c683fdf01c266a1d
                              • Instruction ID: c50362fca104e8f256cfafd1aa4c47c642306a410fce854a674fb4a194d7d391
                              • Opcode Fuzzy Hash: 311d0fe33e82d4e3593e0d298c48c77ce8c523921bf1ac90c683fdf01c266a1d
                              • Instruction Fuzzy Hash: 71115770A0020DDBDF20EFA4D899BADBBF8FB04305F100419E642E7340E779A880CB65
                              Function 0088FF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                              • String ID:
                              • API String ID: 4012487245-0
                              • Opcode ID: 98bd612af755c6c73212e4c903a4f55947b09d4373831fb91ff14990aa814510
                              • Instruction ID: efc24da567beeb9517eafdf76c2401b45327e1b57fafb9fcaf0dd0ae0f78c3e0
                              • Opcode Fuzzy Hash: 98bd612af755c6c73212e4c903a4f55947b09d4373831fb91ff14990aa814510
                              • Instruction Fuzzy Hash: 5C210B71900A08EFCB11AFA4DC46B99BBB8FB0D720F184316F521E23A1DB795441CF25
                              Function 0088FFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                              • String ID:
                              • API String ID: 279829931-0
                              • Opcode ID: 73d95f2e4737686708e593a81b72b1bac39178f30986caf221df70f0381f3d07
                              • Instruction ID: 300f215e92a88f49e4f8845bc577032a022f787b5b756c8335ec2dfee4eea0e4
                              • Opcode Fuzzy Hash: 73d95f2e4737686708e593a81b72b1bac39178f30986caf221df70f0381f3d07
                              • Instruction Fuzzy Hash: 9401D772940A08AFDF14BBE4DC45DEE7779FB0D310B18011AF515E2361DA769441CF21
                              Function 00811858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog.LIBCMT ref: 0081185D
                                • Part of subcall function 0081021A: __EH_prolog.LIBCMT ref: 0081021F
                                • Part of subcall function 0081062E: __EH_prolog.LIBCMT ref: 00810633
                              • _CxxThrowException.MSVCRT(?,008A6010), ref: 00811961
                                • Part of subcall function 00811AA5: __EH_prolog.LIBCMT ref: 00811AAA
                              Strings
                              • Duplicate archive path:, xrefs: 00811A8D
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID: Duplicate archive path:
                              • API String ID: 2366012087-4000988232
                              • Opcode ID: 90ab1c52644ea5a095d504cfb0f12bc1c7ac24b1c332014ccc0c9b887da7ce3e
                              • Instruction ID: 633080eac38e5496a4f22d0f645612c215cfa31576a5a8ff38693d33e54c5fab
                              • Opcode Fuzzy Hash: 90ab1c52644ea5a095d504cfb0f12bc1c7ac24b1c332014ccc0c9b887da7ce3e
                              • Instruction Fuzzy Hash: A9815A31D00158DFCF25EFA8D895ADDBBB5FF18310F1040A9E616A7292DB34AE85CB61
                              Function 0083F1B2 Relevance: 7.7, APIs: 5, Instructions: 168COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1520 83f1b2-83f1ce call 88fb10 call 801168 1524 83f1d3-83f1d5 1520->1524 1525 83f1db-83f1e4 call 83f3e4 1524->1525 1526 83f36a-83f378 1524->1526 1529 83f1e6-83f1e8 1525->1529 1530 83f1ed-83f1f2 1525->1530 1529->1526 1531 83f203-83f21a 1530->1531 1532 83f1f4-83f1f9 1530->1532 1535 83f231-83f248 memcpy 1531->1535 1536 83f21c-83f22c _CxxThrowException 1531->1536 1532->1531 1533 83f1fb-83f1fe 1532->1533 1533->1526 1537 83f24c-83f257 1535->1537 1536->1535 1538 83f259 1537->1538 1539 83f25c-83f25e 1537->1539 1538->1539 1540 83f281-83f299 1539->1540 1541 83f260-83f26f 1539->1541 1549 83f311-83f313 1540->1549 1550 83f29b-83f2a0 1540->1550 1542 83f271 1541->1542 1543 83f279-83f27b 1541->1543 1544 83f273-83f275 1542->1544 1545 83f277 1542->1545 1543->1540 1546 83f315-83f318 1543->1546 1544->1543 1544->1545 1545->1543 1548 83f357-83f368 1546->1548 1548->1526 1549->1548 1550->1546 1551 83f2a2-83f2b5 call 83f37b 1550->1551 1555 83f2f0-83f30c memmove 1551->1555 1556 83f2b7-83f2cf call 88e1a0 1551->1556 1555->1537 1559 83f2d1-83f2eb call 83f37b 1556->1559 1560 83f31a-83f355 memcpy 1556->1560 1559->1556 1564 83f2ed 1559->1564 1560->1548 1564->1555
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 480940fb9c7e0819eabc3c28542ba74bea04c0b7320d2cc133a0f1dfbb3a1de0
                              • Instruction ID: 01a911151cdb61ba1ae692e79c02143d07a2394e822a50f8129b57fedbf88500
                              • Opcode Fuzzy Hash: 480940fb9c7e0819eabc3c28542ba74bea04c0b7320d2cc133a0f1dfbb3a1de0
                              • Instruction Fuzzy Hash: 50513F76E002199BDF14DFA4C8C5AAEB3B5FFD8354F148429EA01EB342D774A9058BE1
                              Function 007F6C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1565 7f6c72-7f6c8e call 88fb10 1568 7f6c96-7f6c9e 1565->1568 1569 7f6c90-7f6c94 1565->1569 1571 7f6ca6-7f6cae 1568->1571 1572 7f6ca0-7f6ca4 1568->1572 1569->1568 1570 7f6cd3-7f6cdc call 7f8664 1569->1570 1577 7f6d87-7f6d92 call 7f88c6 1570->1577 1578 7f6ce2-7f6d02 call 7f67f0 call 7f2f88 call 7f87df 1570->1578 1571->1570 1573 7f6cb0-7f6cb5 1571->1573 1572->1570 1572->1571 1573->1570 1576 7f6cb7-7f6cce call 7f67f0 call 7f2f88 1573->1576 1593 7f715d-7f715f 1576->1593 1587 7f6f4c-7f6f62 call 7f87fa 1577->1587 1588 7f6d98-7f6d9e 1577->1588 1603 7f6d4a-7f6d61 call 7f7b41 1578->1603 1604 7f6d04-7f6d09 1578->1604 1598 7f6f67-7f6f74 call 7f85e2 1587->1598 1599 7f6f64-7f6f66 1587->1599 1588->1587 1592 7f6da4-7f6dc7 call 7f2e47 * 2 1588->1592 1610 7f6dc9-7f6dcf 1592->1610 1611 7f6dd4-7f6dda 1592->1611 1596 7f7118-7f7126 1593->1596 1612 7f6f76-7f6f7c 1598->1612 1613 7f6fd1-7f6fd8 1598->1613 1599->1598 1616 7f6d67-7f6d6b 1603->1616 1617 7f6d63-7f6d65 1603->1617 1604->1603 1607 7f6d0b-7f6d38 call 7f9252 1604->1607 1607->1603 1633 7f6d3a-7f6d45 1607->1633 1610->1611 1618 7f6ddc-7f6def call 7f2407 1611->1618 1619 7f6df1-7f6df9 call 7f3221 1611->1619 1612->1613 1622 7f6f7e-7f6f8a call 7f6bf5 1612->1622 1620 7f6fda-7f6fde 1613->1620 1621 7f6fe4-7f6feb 1613->1621 1625 7f6d6d-7f6d75 1616->1625 1626 7f6d78 1616->1626 1624 7f6d7a-7f6d82 call 7f764c 1617->1624 1618->1619 1637 7f6dfe-7f6e0b call 7f87df 1618->1637 1619->1637 1620->1621 1629 7f70e5-7f70ea call 7f6868 1620->1629 1630 7f701d-7f7024 call 7f8782 1621->1630 1631 7f6fed-7f6ff7 call 7f6bf5 1621->1631 1622->1629 1646 7f6f90-7f6f93 1622->1646 1650 7f7116 1624->1650 1625->1626 1626->1624 1642 7f70ef-7f70f3 1629->1642 1630->1629 1647 7f702a-7f7035 1630->1647 1631->1629 1652 7f6ffd-7f7000 1631->1652 1633->1593 1657 7f6e0d-7f6e10 1637->1657 1658 7f6e43-7f6e50 call 7f6c72 1637->1658 1648 7f710c 1642->1648 1649 7f70f5-7f70f7 1642->1649 1646->1629 1653 7f6f99-7f6fb6 call 7f67f0 call 7f2f88 1646->1653 1647->1629 1654 7f703b-7f7044 call 7f8578 1647->1654 1656 7f710e-7f7111 call 7f6848 1648->1656 1649->1648 1655 7f70f9-7f7102 1649->1655 1650->1596 1652->1629 1659 7f7006-7f701b call 7f67f0 1652->1659 1684 7f6fb8-7f6fbd 1653->1684 1685 7f6fc2-7f6fc5 call 7f717b 1653->1685 1654->1629 1676 7f704a-7f7054 call 7f717b 1654->1676 1655->1648 1662 7f7104-7f7107 call 7f717b 1655->1662 1656->1650 1665 7f6e1e-7f6e36 call 7f67f0 1657->1665 1666 7f6e12-7f6e15 1657->1666 1677 7f6f3a-7f6f4b call 7f1e40 * 2 1658->1677 1678 7f6e56 1658->1678 1679 7f6fca-7f6fcc 1659->1679 1662->1648 1682 7f6e58-7f6e7e call 7f2f1c call 7f2e04 1665->1682 1683 7f6e38-7f6e41 call 7f2fec 1665->1683 1666->1658 1672 7f6e17-7f6e1c 1666->1672 1672->1658 1672->1665 1694 7f7056-7f705f call 7f2f88 1676->1694 1695 7f7064-7f7097 call 7f2e47 call 7f1089 * 2 call 7f6868 1676->1695 1677->1587 1678->1682 1679->1656 1703 7f6e83-7f6e99 call 7f6bb5 1682->1703 1683->1682 1684->1685 1685->1679 1705 7f7155-7f7158 call 7f6848 1694->1705 1727 7f70bf-7f70cc call 7f6bf5 1695->1727 1728 7f7099-7f70af wcscmp 1695->1728 1712 7f6ecf-7f6ed1 1703->1712 1713 7f6e9b-7f6e9f 1703->1713 1705->1593 1715 7f6f09-7f6f35 call 7f1e40 * 2 call 7f6848 call 7f1e40 * 2 1712->1715 1716 7f6ec7-7f6ec9 SetLastError 1713->1716 1717 7f6ea1-7f6eae call 7f22bf 1713->1717 1715->1650 1716->1712 1725 7f6ed3-7f6ed9 1717->1725 1726 7f6eb0-7f6ec5 call 7f1e40 call 7f2e04 1717->1726 1734 7f6eec-7f6f07 call 7f31e5 1725->1734 1735 7f6edb-7f6ee0 1725->1735 1726->1703 1745 7f70ce-7f70d1 1727->1745 1746 7f7129-7f7133 call 7f67f0 1727->1746 1731 7f70bb 1728->1731 1732 7f70b1-7f70b6 1728->1732 1731->1727 1738 7f7147-7f7154 call 7f2f88 call 7f1e40 1732->1738 1734->1715 1735->1734 1740 7f6ee2-7f6ee8 1735->1740 1738->1705 1740->1734 1751 7f70d8-7f70e4 call 7f1e40 1745->1751 1752 7f70d3-7f70d6 1745->1752 1761 7f713a 1746->1761 1762 7f7135-7f7138 1746->1762 1751->1629 1752->1746 1752->1751 1763 7f7141-7f7144 1761->1763 1762->1763 1763->1738
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F6C77
                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 007F6EC9
                                • Part of subcall function 007F6C72: wcscmp.MSVCRT ref: 007F70A5
                                • Part of subcall function 007F6BF5: __EH_prolog.LIBCMT ref: 007F6BFA
                                • Part of subcall function 007F6BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 007F6C1A
                                • Part of subcall function 007F6BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 007F6C49
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                              • String ID: :$DATA
                              • API String ID: 3316598575-2587938151
                              • Opcode ID: 8b864cc5480731fe1f18b944c06a3d389e34d391a1334e6cf9067ee12e26f61f
                              • Instruction ID: 37894d6cddfa3bf9dd54a5d2e391028bff0f862d6d8f80de381843e0a0af1eb7
                              • Opcode Fuzzy Hash: 8b864cc5480731fe1f18b944c06a3d389e34d391a1334e6cf9067ee12e26f61f
                              • Instruction Fuzzy Hash: 05E1233090420DDACF25EFA4C899BFEB7B1BF14314F104119EA526B392DB7DA94ACB11
                              Function 00806FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00806FCA
                                • Part of subcall function 00806E71: __EH_prolog.LIBCMT ref: 00806E76
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                              • API String ID: 3519838083-394804653
                              • Opcode ID: 6cda2601d5f44a0624862a9f358614eeb3ae4b5ff58ab10453968e71201501f0
                              • Instruction ID: d965cf76680e6840e4e870eaef5d13fe603520a66cf7e3b195950c152324ff55
                              • Opcode Fuzzy Hash: 6cda2601d5f44a0624862a9f358614eeb3ae4b5ff58ab10453968e71201501f0
                              • Instruction Fuzzy Hash: A041D372E086449BCF61DFA888909EEBBF5FF49300F58456EE086E3281D6307E45C761
                              Function 008284A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: 55b86fd4c128dbdf46444d199cc4df61c31a4c5d8665139148860c5ecf5e8733
                              • Instruction ID: 0c13ca381760f4965fac39f71c2f21b6c2cbf9a0113b6d84a049e487671e2e4d
                              • Opcode Fuzzy Hash: 55b86fd4c128dbdf46444d199cc4df61c31a4c5d8665139148860c5ecf5e8733
                              • Instruction Fuzzy Hash: 93219032905118EBCF05EB94E956BEDBBB5FF48310F24002AF501B2292DF751E85CB95
                              Function 00828341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00828346
                              • fputs.MSVCRT ref: 0082835B
                              • fputs.MSVCRT ref: 00828364
                                • Part of subcall function 008283BF: __EH_prolog.LIBCMT ref: 008283C4
                                • Part of subcall function 008283BF: fputs.MSVCRT ref: 00828401
                                • Part of subcall function 008283BF: fputs.MSVCRT ref: 00828437
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: c59ccae14db3811bc41f0bcb1fd399ab113ee7094615c8d574f58cdc3b3e4b40
                              • Instruction ID: de54888bdae229b812cceabc8103d6bc6f1f67df365e0bad03487f9e37a6bcce
                              • Opcode Fuzzy Hash: c59ccae14db3811bc41f0bcb1fd399ab113ee7094615c8d574f58cdc3b3e4b40
                              • Instruction Fuzzy Hash: 0001A231A00018EBCF05FBA8D81AAEDBB75FF84710F00402AF501D23A2CF794A96DB91
                              Function 00887DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0080AB57), ref: 00887DAA
                              • GetLastError.KERNEL32(?,00000000,0080AB57), ref: 00887DBB
                              • CloseHandle.KERNELBASE(00000000,?,00000000,0080AB57), ref: 00887DCF
                              • GetLastError.KERNEL32(?,00000000,0080AB57), ref: 00887DD9
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                              • String ID:
                              • API String ID: 1796208289-0
                              • Opcode ID: 2064b31c2b435265e2b8cbce8b65e5421a66e3937988db3655a5e288dca1fcac
                              • Instruction ID: 982c83f196b7fbc840161dc8a3c45245a4cc1ba783f0aaa6996b602fd70c5b89
                              • Opcode Fuzzy Hash: 2064b31c2b435265e2b8cbce8b65e5421a66e3937988db3655a5e288dca1fcac
                              • Instruction Fuzzy Hash: 08F0FE7230860247EB207ABD9C84B3666B8FF523B8B340726E561D32E8EA65DC408720
                              Function 00812096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0081209B
                                • Part of subcall function 007F757D: GetLastError.KERNEL32(007FD14C), ref: 007F757D
                                • Part of subcall function 00812C6C: __EH_prolog.LIBCMT ref: 00812C71
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 683690243-1569138187
                              • Opcode ID: a1b0ce1eceabb3d99f04fc00a625da6de9a499848338aeecc54844fb774463e0
                              • Instruction ID: 80fd480e2f72897b5cc4cb8dad6fde55c0261669472d4770fa43d30f686fddf4
                              • Opcode Fuzzy Hash: a1b0ce1eceabb3d99f04fc00a625da6de9a499848338aeecc54844fb774463e0
                              • Instruction Fuzzy Hash: 79725570900258DFCB25DFA8C884BEDBBB9FF58304F14409AE959A7352C774AA91CF91
                              Function 0082C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CountTickfputs
                              • String ID: .
                              • API String ID: 290905099-4150638102
                              • Opcode ID: ee0a6f94c5fb95b2dfa9e795e17558a03d3881483b76bf1aadc36ff6254a0888
                              • Instruction ID: df9fd933a6c8632c81a1555130e74f032f85ebde3df34c05262b4c960ab733d9
                              • Opcode Fuzzy Hash: ee0a6f94c5fb95b2dfa9e795e17558a03d3881483b76bf1aadc36ff6254a0888
                              • Instruction Fuzzy Hash: 5D713530600B189FCB21EB68D995ABEB7F6FF81300F10481DE59797642DB74B885CB11
                              Function 008308B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007F9C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 007F9CB3
                                • Part of subcall function 007F9C8F: GetProcAddress.KERNEL32(00000000), ref: 007F9CBA
                                • Part of subcall function 007F9C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 007F9CC8
                              • __aulldiv.LIBCMT ref: 0083093F
                              • __aulldiv.LIBCMT ref: 0083094B
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                              • String ID: 3333
                              • API String ID: 3520896023-2924271548
                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction ID: dd8da8f8061c56e001b316fb3e90418eaf390dbffbee691decbf01f54839af40
                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction Fuzzy Hash: 6C219AB19007046FE730EF7A8881B5BFAF9FB84751F00892EB285D7642D67099408BA5
                              Function 0081A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              • memset.MSVCRT ref: 0081AEBA
                              • memset.MSVCRT ref: 0081AECD
                                • Part of subcall function 008304D2: _CxxThrowException.MSVCRT(?,008A4A58), ref: 008304F8
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: memset$ExceptionThrowfree
                              • String ID: Split
                              • API String ID: 1404239998-1882502421
                              • Opcode ID: 8ba1ecf54ffb1d7885d031657dbdef66a15db0f1289c1d9b4a4960bbdbeea966
                              • Instruction ID: 08bdbb9962862e20979a250755d0f6a8a213159a4f6656dff02bcad2f1089fd9
                              • Opcode Fuzzy Hash: 8ba1ecf54ffb1d7885d031657dbdef66a15db0f1289c1d9b4a4960bbdbeea966
                              • Instruction Fuzzy Hash: 87424970A05248DFDF29DBA4C984BEDBBB9FF05314F1440A9E449E7252CB31AE85CB52
                              Function 007F759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F759F
                                • Part of subcall function 007F764C: CloseHandle.KERNELBASE(00000000,?,007F75AF,00000002,?,00000000,00000000), ref: 007F7657
                              • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 007F75E5
                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 007F7626
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CreateFile$CloseH_prologHandle
                              • String ID:
                              • API String ID: 449569272-0
                              • Opcode ID: 1d0fd0dc6fcdca8f6291df1ab200d7f5cccad34816c882c94e6d1fd92adb90c1
                              • Instruction ID: 0ad309988a352f6001dbc182a1821a9f49bcdfdfc80854bb298de98de363eeb9
                              • Opcode Fuzzy Hash: 1d0fd0dc6fcdca8f6291df1ab200d7f5cccad34816c882c94e6d1fd92adb90c1
                              • Instruction Fuzzy Hash: AE11B47280410EEFCF15AFA4CC418FEBB7AFF04354B148529FA61922A1C7398D61EB50
                              Function 008283BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00828437
                              • fputs.MSVCRT ref: 00828401
                                • Part of subcall function 007F1FB3: __EH_prolog.LIBCMT ref: 007F1FB8
                              • __EH_prolog.LIBCMT ref: 008283C4
                                • Part of subcall function 007F1FA0: fputc.MSVCRT ref: 007F1FA7
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputc
                              • String ID:
                              • API String ID: 678540050-0
                              • Opcode ID: 72d35285799840adb85e2ea67dd6ccaae16da7bf17c07cf68dc5d4456698aba7
                              • Instruction ID: 9eabd48a4257a0e46bd9ae33a928b603cf96b82e60f4a705d3d29bf7183cc35b
                              • Opcode Fuzzy Hash: 72d35285799840adb85e2ea67dd6ccaae16da7bf17c07cf68dc5d4456698aba7
                              • Instruction Fuzzy Hash: D7117331A05119DBCF09BBA4D81B5BEBBA5EF40750F50002AF601D2392DF6E194586D9
                              Function 007F7731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,007F77DB,?,?,00000000,?,007F7832,?), ref: 007F7773
                              • GetLastError.KERNEL32(?,007F77DB,?,?,00000000,?,007F7832,?,?,?,?,00000000), ref: 007F7780
                              • SetLastError.KERNEL32(00000000,?,?,007F77DB,?,?,00000000,?,007F7832,?,?,?,?,00000000), ref: 007F7797
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$FilePointer
                              • String ID:
                              • API String ID: 1156039329-0
                              • Opcode ID: 32e53975a27775530b1edf7fed5c116dc5e3fd6bddad4bb6ef3936ec969c6d1f
                              • Instruction ID: 5b828f031f0b355a1008933fde4f1dcb1d1a31c12d5479c65ac519cb74c33cdd
                              • Opcode Fuzzy Hash: 32e53975a27775530b1edf7fed5c116dc5e3fd6bddad4bb6ef3936ec969c6d1f
                              • Instruction Fuzzy Hash: FE11BF31604309AFEF19AF68DC85BAE37E5BF04320F148429FA16973A1D7B99D50DB60
                              Function 007F5A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F5A91
                              • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 007F5AB7
                              • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 007F5AEC
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFile$H_prolog
                              • String ID:
                              • API String ID: 3790360811-0
                              • Opcode ID: 8ee1b9875d4daabaa2d53b1259f98e2bf098cb3f40c22fbe6c6b2e28c4ccb16f
                              • Instruction ID: fa2e437f922c6267a2e638b2ec1fdc207ad289d4a84f2f900d072725bc6a24e7
                              • Opcode Fuzzy Hash: 8ee1b9875d4daabaa2d53b1259f98e2bf098cb3f40c22fbe6c6b2e28c4ccb16f
                              • Instruction Fuzzy Hash: 1A018072D0021DEBCF15ABA4D885ABEBB75FF40350F188426EF12A2352CA3A8D16D650
                              Function 00825883 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(008B2938), ref: 0082588B
                              • LeaveCriticalSection.KERNEL32(008B2938), ref: 008258BC
                                • Part of subcall function 0082C911: GetTickCount.KERNEL32 ref: 0082C926
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CountEnterLeaveTick
                              • String ID: v
                              • API String ID: 1056156058-3261393531
                              • Opcode ID: 68a485d70909c804a9869a8c2c1599eabb3df968d44d55179acb6c1e0c223cf2
                              • Instruction ID: 0d4f0db50bd210a05d05e1bb3f03ebb8383b4d666c24c82161b6d30cce82ec6d
                              • Opcode Fuzzy Hash: 68a485d70909c804a9869a8c2c1599eabb3df968d44d55179acb6c1e0c223cf2
                              • Instruction Fuzzy Hash: BAE0E575605620DFC304EF18E909E9A7BA5FF98311F05057EF409C7362CB70D989CAA2
                              Function 00805BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00805BEF
                                • Part of subcall function 008054C0: __EH_prolog.LIBCMT ref: 008054C5
                                • Part of subcall function 00805630: __EH_prolog.LIBCMT ref: 00805635
                                • Part of subcall function 008136EA: __EH_prolog.LIBCMT ref: 008136EF
                                • Part of subcall function 008057C1: __EH_prolog.LIBCMT ref: 008057C6
                                • Part of subcall function 008058BE: __EH_prolog.LIBCMT ref: 008058C3
                              Strings
                              • Cannot seek to begin of file, xrefs: 0080610F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Cannot seek to begin of file
                              • API String ID: 3519838083-2298593816
                              • Opcode ID: f2ad0e4ae25f2f6ba667a1f17675ce47abcb3df8223bb31f2c5a251e5e8e6391
                              • Instruction ID: e21ec35fcc57ef001dc2a3082600fe73d530300d1fcb7dc29b6cedbc79e7a70d
                              • Opcode Fuzzy Hash: f2ad0e4ae25f2f6ba667a1f17675ce47abcb3df8223bb31f2c5a251e5e8e6391
                              • Instruction Fuzzy Hash: F212FE31904649DFDB65DBA4C888BEEBBB5FF04304F04002DE586A72D2DB74AA54CB61
                              Function 00834E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00834E8F
                                • Part of subcall function 007F965D: VariantClear.OLEAUT32(?), ref: 007F967F
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ClearH_prologVariantfree
                              • String ID: file
                              • API String ID: 904627215-2359244304
                              • Opcode ID: 7ebebc43895a6c00115a4a281e47ce7a8c3e50c3f52688ffc4076312ab275736
                              • Instruction ID: 6cd6c1ed7e6877929649172b5e8215973d5beee4f50f08831e8b2eac39f769b1
                              • Opcode Fuzzy Hash: 7ebebc43895a6c00115a4a281e47ce7a8c3e50c3f52688ffc4076312ab275736
                              • Instruction Fuzzy Hash: D5125C7490020DDBCF15EFA4C999AEDBBB6FF44344F244068E505EB292DB36AE46CB50
                              Function 00812CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00812CE0
                                • Part of subcall function 007F5E10: __EH_prolog.LIBCMT ref: 007F5E15
                                • Part of subcall function 008041EC: _CxxThrowException.MSVCRT(?,008A4A58), ref: 0080421A
                                • Part of subcall function 007F965D: VariantClear.OLEAUT32(?), ref: 007F967F
                              Strings
                              • Cannot create output directory, xrefs: 00813070
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ClearExceptionThrowVariant
                              • String ID: Cannot create output directory
                              • API String ID: 814188403-1181934277
                              • Opcode ID: 9bf729b06520f4b2eb99c0850866bb78a0d6a0354c3f776d3eebce5a1a48e653
                              • Instruction ID: 331bbcc419306237b6ae94a69ca81ea63ec5580caeac94c51add5348e11d58df
                              • Opcode Fuzzy Hash: 9bf729b06520f4b2eb99c0850866bb78a0d6a0354c3f776d3eebce5a1a48e653
                              • Instruction Fuzzy Hash: 23F1A17090128DDFCF21EFA8C895AEDBBB9FF18300F1440A9E545A7252DB319E96CB51
                              Function 0082C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 0082C840
                                • Part of subcall function 007F25CB: _CxxThrowException.MSVCRT(?,008A4A58), ref: 007F25ED
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs
                              • String ID:
                              • API String ID: 1334390793-399585960
                              • Opcode ID: 1fe385542f33e0891de627a3f9427ff9774054d82f13ce657da85d2377ba13f6
                              • Instruction ID: 768180fef6aca81bb8b6f3df59f00c274940aa4169c63e90c1bce7318d57ab85
                              • Opcode Fuzzy Hash: 1fe385542f33e0891de627a3f9427ff9774054d82f13ce657da85d2377ba13f6
                              • Instruction Fuzzy Hash: 8011BF716047449FDB25CF58D8D5BAABBE6FF49304F04846EE18ACB251C7B5B844CB60
                              Function 00826086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Open
                              • API String ID: 1795875747-71445658
                              • Opcode ID: 919cb74e36b5b07669d2c534f540195d0de58f56d52d9df6c5d8d487ee46838d
                              • Instruction ID: 32ed1516467a6c57eb0b3403c6df58ef3700716fad9e0b19ce4f20b05effa895
                              • Opcode Fuzzy Hash: 919cb74e36b5b07669d2c534f540195d0de58f56d52d9df6c5d8d487ee46838d
                              • Instruction Fuzzy Hash: BF118C32101714DFC724AF74E995AEABBA5FB14310F54892FE29AC3212EA35A954CF50
                              Function 008058BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 008058C3
                                • Part of subcall function 007F6C72: __EH_prolog.LIBCMT ref: 007F6C77
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 7a3a3f8cbd888df38bce01069c484ba04e5b82a2e9605839b1e2fc8f2e36e4f3
                              • Instruction ID: ba8bc822c1a687c788fe144eba9614d9c06be26abb25de884b060a9df81f1a1d
                              • Opcode Fuzzy Hash: 7a3a3f8cbd888df38bce01069c484ba04e5b82a2e9605839b1e2fc8f2e36e4f3
                              • Instruction Fuzzy Hash: 5B91CE31A00509DADF21EBA4CC95ABEBBB6FF44350F244069E602E7292DB35AD44CB71
                              Function 008406AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 008406B3
                              • _CxxThrowException.MSVCRT(?,008AD480), ref: 008408F2
                                • Part of subcall function 007F1E0C: malloc.MSVCRT ref: 007F1E1F
                                • Part of subcall function 007F1E0C: _CxxThrowException.MSVCRT(?,008A4B28), ref: 007F1E39
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmalloc
                              • String ID:
                              • API String ID: 3044594480-0
                              • Opcode ID: 7adf39099d4d3b847a1160f7f59c028a7edfe7a872cb2a57f0279d2effbd7188
                              • Instruction ID: 657f0312b5ac14b5e2c5400053572d9cc04e1623da80600971a2ed1118dbfdaa
                              • Opcode Fuzzy Hash: 7adf39099d4d3b847a1160f7f59c028a7edfe7a872cb2a57f0279d2effbd7188
                              • Instruction Fuzzy Hash: 6A91387490024DDFCB21DFA8C985AEEBBB5FF49304F1480A9E545A7252CB35AE44CFA1
                              Function 00807190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 5d872f588f03f1ed6842e6c767d4fe21e88bb1c073bb232803ddc1210bac8fd5
                              • Instruction ID: ef31e929d43d15b8d5c7d11e351bf460a9fee6add3c1fcdfbbdf89c3af3069aa
                              • Opcode Fuzzy Hash: 5d872f588f03f1ed6842e6c767d4fe21e88bb1c073bb232803ddc1210bac8fd5
                              • Instruction Fuzzy Hash: E151B071908B809FDBA5DB64C890AEABBF1FF45300F58885DE5D78B282D730B984DB51
                              Function 00817B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00817B4D
                              • memcpy.MSVCRT(00000000,008B27DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00817C65
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologmemcpy
                              • String ID:
                              • API String ID: 2991061955-0
                              • Opcode ID: 778b81c07c474dea449562458d28e19c0cc9c735dec020270f5df68748d84f8e
                              • Instruction ID: 9ddca7357dd5acdabb1489a6473aca9c6a360b177ce31d882a8e78db70b838ba
                              • Opcode Fuzzy Hash: 778b81c07c474dea449562458d28e19c0cc9c735dec020270f5df68748d84f8e
                              • Instruction Fuzzy Hash: FB416871904218DBCF20EBA8C955AEEB7F8FF04304F10452DE456A7392DB35AA89CB61
                              Function 00841511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00841516
                                • Part of subcall function 008410D3: __EH_prolog.LIBCMT ref: 008410D8
                              • _CxxThrowException.MSVCRT(?,008AD480), ref: 00841561
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: 0b2c64ba9b5955480a5a11fba6b573491575cf4e2b36e45f26bfb099598405a2
                              • Instruction ID: a84ae195839230c93948ed4620639847357bf015bec39646bb59ec8e950fe814
                              • Opcode Fuzzy Hash: 0b2c64ba9b5955480a5a11fba6b573491575cf4e2b36e45f26bfb099598405a2
                              • Instruction Fuzzy Hash: 5E01F232500249AEDF119F98C819BEE7FB8FF85360F04405AF505DA212C3B5A99587A1
                              Function 008257FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00825800
                              • fputs.MSVCRT ref: 00825830
                                • Part of subcall function 007F1FA0: fputc.MSVCRT ref: 007F1FA7
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputcfputsfree
                              • String ID:
                              • API String ID: 195749403-0
                              • Opcode ID: 8fb32f6cc6805cac0b5b0b6ef0381185342489159fdb24725a6025578bea267a
                              • Instruction ID: 63bf551a85110891e4789c44988243c638271703bf198ddc4d23c6adb8c8e2b2
                              • Opcode Fuzzy Hash: 8fb32f6cc6805cac0b5b0b6ef0381185342489159fdb24725a6025578bea267a
                              • Instruction Fuzzy Hash: 10F05E32914518DBCB15BB94E4067EEBBB1FF04760F40442AE602E3692CB755995CB84
                              Function 0082B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID:
                              • API String ID: 1185151155-0
                              • Opcode ID: 9e84a42c01c83192e00e7457ed54174247d0653d5e20e80d9640fa6cc1e2a461
                              • Instruction ID: f14c8a1320d64b33da5eeef7732544ce6600ecd017bcc918d80f57b83743adc4
                              • Opcode Fuzzy Hash: 9e84a42c01c83192e00e7457ed54174247d0653d5e20e80d9640fa6cc1e2a461
                              • Instruction Fuzzy Hash: 1AE0C23720B120AFA6162F48BC0285437D5FBCA361329002FE780D7260AF233C155EA8
                              Function 007F950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocStringLen.OLEAUT32(?,?), ref: 007F952C
                              • _CxxThrowException.MSVCRT(?,008A55B8), ref: 007F954A
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID:
                              • API String ID: 3773818493-0
                              • Opcode ID: fc93512fa2f6c023c95a969e4a78c0e6ba7544dae3088a669194579bcb4237cf
                              • Instruction ID: f97958626347e59c918e914a417f40d26d2f26ea885bf95a4881e23a31082644
                              • Opcode Fuzzy Hash: fc93512fa2f6c023c95a969e4a78c0e6ba7544dae3088a669194579bcb4237cf
                              • Instruction Fuzzy Hash: 5CF06D72610308ABC714EFA8D859E967BECFF05380740842AFA08CB710E775E84087A0
                              Function 00887E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast_beginthreadex
                              • String ID:
                              • API String ID: 4034172046-0
                              • Opcode ID: c55401fb4a18c4671764585c03fe7b7d6002db2dd169b63c5817d041b2f650ac
                              • Instruction ID: 840040e39ffba3aac057e23f6cdd9e349d12463d61303411a9ba08e89ea1ca92
                              • Opcode Fuzzy Hash: c55401fb4a18c4671764585c03fe7b7d6002db2dd169b63c5817d041b2f650ac
                              • Instruction Fuzzy Hash: EEE0C2B22082026BF310AB64DC42F7772ACFBA0B40F54847DFA45C7180EA60CD00C7B2
                              Function 007F9C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,007F9C6E), ref: 007F9C52
                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 007F9C59
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrentMask
                              • String ID:
                              • API String ID: 1231390398-0
                              • Opcode ID: ef2f8fe23b390be8ca91d9db1de855ca8eca6c0dcbd2637463d9b0e269afe0ae
                              • Instruction ID: 5a907e25288600a75864c1a4c0fafbde1d04b073b638034d7d6d713327496458
                              • Opcode Fuzzy Hash: ef2f8fe23b390be8ca91d9db1de855ca8eca6c0dcbd2637463d9b0e269afe0ae
                              • Instruction Fuzzy Hash: B7B012B2440600FFCF00BBB0DD0DC163B2CFA043017084646F109C2010C637C045CB60
                              Function 007FB668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 007FB843
                              • GetLastError.KERNEL32 ref: 007FB8AA
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLastmemcpy
                              • String ID:
                              • API String ID: 2523627151-0
                              • Opcode ID: 65d83d454b831f4f2d010a341252af4db5e0b4e22a2be146c9fec236672d96af
                              • Instruction ID: 302d1524cee9635d75df5ebc9f761c8097477b3bb1a2cff0414637e2d91cdda6
                              • Opcode Fuzzy Hash: 65d83d454b831f4f2d010a341252af4db5e0b4e22a2be146c9fec236672d96af
                              • Instruction Fuzzy Hash: 38815C71600709DFDB64DE65C980A7AB7F6BF88354F14892EEA4687B40E738F841CB50
                              Function 007F1E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 2436765578-0
                              • Opcode ID: 09d9e1f32926070805571174120343d3cc1728a589b4dba4dddf820af9141515
                              • Instruction ID: ece995cb7cc738d3e6941eff3004a12d6c2ad2f33da4ed5df6936a36bea1ad72
                              • Opcode Fuzzy Hash: 09d9e1f32926070805571174120343d3cc1728a589b4dba4dddf820af9141515
                              • Instruction Fuzzy Hash: 7BE0C23000024CAADF106FA0D8047A83FA8AF01766F80E015FE1C9E202C274C7D19754
                              Function 0083B05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 930478dd49a0e54afb5ae42a1a91543ca8b41cec4471fccb8f828edd6d9f1595
                              • Instruction ID: 46c4812156f8c330e49d990926e46d6946db54187d994d2dbb2bb3f9535d4d6a
                              • Opcode Fuzzy Hash: 930478dd49a0e54afb5ae42a1a91543ca8b41cec4471fccb8f828edd6d9f1595
                              • Instruction Fuzzy Hash: C1528DB0900249DFDF11CFA8C598BAEBBB5FF89304F184099E905EB291DB759E41CB61
                              Function 00806305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9b7eb554cc662aa1ddbc2fb233b413006373a4fbdecc919dc23178ad2266f92a
                              • Instruction ID: b3092b9a63f040cdd368a5dfa3662bf9cd97a10c1be1510aa401e30be487c8ad
                              • Opcode Fuzzy Hash: 9b7eb554cc662aa1ddbc2fb233b413006373a4fbdecc919dc23178ad2266f92a
                              • Instruction Fuzzy Hash: BFF1DD70904785DFCF61CF64C890AAABBE1FF15304F58486EE49ACB291E731AD64CB52
                              Function 008410D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 12d78e48a495982019ddff6141aaecadfacdd4922725baa820cb2a513fb50f09
                              • Instruction ID: 8019967ec68f04d2adee7ba44c0ce3911b17991af3e5b31427fc59d35bc53a18
                              • Opcode Fuzzy Hash: 12d78e48a495982019ddff6141aaecadfacdd4922725baa820cb2a513fb50f09
                              • Instruction Fuzzy Hash: 7FD16970A00749AFDF28CFA8C888BEEBBB1FF58304F108529E555E7651D775A884CB91
                              Function 0083CF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0083CF96
                                • Part of subcall function 00841511: __EH_prolog.LIBCMT ref: 00841516
                                • Part of subcall function 00841511: _CxxThrowException.MSVCRT(?,008AD480), ref: 00841561
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: a3aa863a7f1674f6e60c398cefecc1d4e634c09d08eecf7dd8ce3d92dca05149
                              • Instruction ID: d12aec777445ac1bf5319648353a7d536eed0130d2c75ca4dc59f9d66007aaa7
                              • Opcode Fuzzy Hash: a3aa863a7f1674f6e60c398cefecc1d4e634c09d08eecf7dd8ce3d92dca05149
                              • Instruction Fuzzy Hash: 59517C31900289DFCB11CFA8D898BAEBBB4FF89304F1844ADE45AD7242C7719E45CB61
                              Function 0082F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 0cd0462f2b67d0dfc14739f78896ebea51f7a17a22e722c6f489f4f16eb6d1b3
                              • Instruction ID: a117a27bab54086abe3b1db48e1dd037ea03b764b70d848a89ad8ce5db78f459
                              • Opcode Fuzzy Hash: 0cd0462f2b67d0dfc14739f78896ebea51f7a17a22e722c6f489f4f16eb6d1b3
                              • Instruction Fuzzy Hash: 21515A74A0061ADFCB14CFA4D4809AAFBB2FF49304B10497DE692EB752D331A945CF90
                              Function 0083AD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: cd8c4dfd0977aae058a09c82203c42435971b5bab67cd37f139da5a54b7ac7c6
                              • Instruction ID: 0873057012fb4ae31571516a6499aa73ff93aa916a36dd4be6dc33a0861d05b1
                              • Opcode Fuzzy Hash: cd8c4dfd0977aae058a09c82203c42435971b5bab67cd37f139da5a54b7ac7c6
                              • Instruction Fuzzy Hash: DB419F70A00746EFDB28CF64C484B6ABBA4FF85314F148A6DE496C7691C370ED85CB91
                              Function 00804250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00804255
                                • Part of subcall function 0080440B: __EH_prolog.LIBCMT ref: 00804410
                                • Part of subcall function 007F1E0C: malloc.MSVCRT ref: 007F1E1F
                                • Part of subcall function 007F1E0C: _CxxThrowException.MSVCRT(?,008A4B28), ref: 007F1E39
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 4fde853c137e8be37ed840cb4eb275d6366aa8b833ac83814859cc1708b6c38c
                              • Instruction ID: 62bce44e8fe736fcdc084ca133a540cc2812a85e870c86f84782151967448d9e
                              • Opcode Fuzzy Hash: 4fde853c137e8be37ed840cb4eb275d6366aa8b833ac83814859cc1708b6c38c
                              • Instruction Fuzzy Hash: 6E510AB0401744CFC726DFA9C18469AFBF0FF19304F5588AEC59A97752D7B4A608CB61
                              Function 0081D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0081D0E6
                                • Part of subcall function 007F1E0C: malloc.MSVCRT ref: 007F1E1F
                                • Part of subcall function 007F1E0C: _CxxThrowException.MSVCRT(?,008A4B28), ref: 007F1E39
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrowmalloc
                              • String ID:
                              • API String ID: 3978722251-0
                              • Opcode ID: 7edb92f5d4ae05471b0aff3a679bd271d53ebf27530b49436c648ee51f58c153
                              • Instruction ID: 29b4d53c319a03cf89e3e5b953c71d3eb73fb94c023579cf59eafc4fef034b4d
                              • Opcode Fuzzy Hash: 7edb92f5d4ae05471b0aff3a679bd271d53ebf27530b49436c648ee51f58c153
                              • Instruction Fuzzy Hash: FE419F71A00358EBCB15DBA8C984BAEFBB8FF45310F244559E846E7282CBB49D45CB91
                              Function 00807FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00807FCA
                                • Part of subcall function 007F950D: SysAllocStringLen.OLEAUT32(?,?), ref: 007F952C
                                • Part of subcall function 007F950D: _CxxThrowException.MSVCRT(?,008A55B8), ref: 007F954A
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionH_prologStringThrow
                              • String ID:
                              • API String ID: 1940201546-0
                              • Opcode ID: 61d7b36b8da292efaabf749d31877a61fa2477c883605ce879e35757b6ab0bf9
                              • Instruction ID: b02eadf4d40ba757a968e24ce34c79677cd233ff65af9eb5e56ca44cf0a9eeed
                              • Opcode Fuzzy Hash: 61d7b36b8da292efaabf749d31877a61fa2477c883605ce879e35757b6ab0bf9
                              • Instruction Fuzzy Hash: 1131A07282050DDADF54AFA4CC559FE7770FF24314F404029E252E76A2DE359A88DB51
                              Function 0082ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0082ADBC
                                • Part of subcall function 0082AD29: __EH_prolog.LIBCMT ref: 0082AD2E
                                • Part of subcall function 0082AF2D: __EH_prolog.LIBCMT ref: 0082AF32
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 3a57adb748231f5dbdde38182393ab785b50a807fade744170d4c1ffb80af2b2
                              • Instruction ID: 22f3deb10e438939fe104b380027e36d7125bc2b79d514b4488a2a72ca7d7bff
                              • Opcode Fuzzy Hash: 3a57adb748231f5dbdde38182393ab785b50a807fade744170d4c1ffb80af2b2
                              • Instruction Fuzzy Hash: 0E41C97144ABC4DEC326DF7881656D6FFE0AF25200F98899EC0EA43753D674A60CC766
                              Function 0081062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 3c6c86609fa0cd5d3a4d935871fcfd762cdf6f3152ba23b4165f79983635d70c
                              • Instruction ID: 1812e20f429b2c57455a6b9b34928e1e40c012b24ec2cc0f042a96116a221e0f
                              • Opcode Fuzzy Hash: 3c6c86609fa0cd5d3a4d935871fcfd762cdf6f3152ba23b4165f79983635d70c
                              • Instruction Fuzzy Hash: C031FAB1D00209EFCB14EF99CC918EEBBB9FF94364F208519E516A7251C7705981CFA0
                              Function 008198F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 008198F7
                                • Part of subcall function 00819987: __EH_prolog.LIBCMT ref: 0081998C
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 2f71066fb6424048ceeb9b5188682ce0ef4977fd849f7066f0e98998ad83f047
                              • Instruction ID: 07a25c986b546a58ae4fefc5679f96ffe3df1f45c5586d4ddcc896c52b35e4fe
                              • Opcode Fuzzy Hash: 2f71066fb6424048ceeb9b5188682ce0ef4977fd849f7066f0e98998ad83f047
                              • Instruction Fuzzy Hash: C51164356002059FDB14CF68C8A4EAAB7A9FF89750F14895CE992DB2A1CB31E841CB60
                              Function 0081021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0081021F
                                • Part of subcall function 00803D66: __EH_prolog.LIBCMT ref: 00803D6B
                                • Part of subcall function 00803D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803D7D
                                • Part of subcall function 00803D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803D94
                                • Part of subcall function 00803D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00803DB6
                                • Part of subcall function 00803D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803DCB
                                • Part of subcall function 00803D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803DD5
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 1532160333-0
                              • Opcode ID: 784ae737e8bc701bfbf34c5945fd97baf1e61397325c5f92fdf723c4aa76567a
                              • Instruction ID: 94e6ac3f5684a24a2198cc7259dbff0123a315117fbbe4cb0001f455ffb55c77
                              • Opcode Fuzzy Hash: 784ae737e8bc701bfbf34c5945fd97baf1e61397325c5f92fdf723c4aa76567a
                              • Instruction Fuzzy Hash: 722139B1946B90CFC321CF6E86D0686FFF4BB19600B94996ED1DA83B12C370A548CF55
                              Function 00811C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00811C74
                                • Part of subcall function 007F6C72: __EH_prolog.LIBCMT ref: 007F6C77
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9860ee05958d0e427bd31912ede37b3e7c38cf336c50bca3e54b4486980cb35f
                              • Instruction ID: 62dec284951c6ef4ef80c326d6b12c7d8c2bc40eee4e63fc5cdd6fd2cf716c10
                              • Opcode Fuzzy Hash: 9860ee05958d0e427bd31912ede37b3e7c38cf336c50bca3e54b4486980cb35f
                              • Instruction Fuzzy Hash: B2115E31910208DBCF15FBE4D95ABFDBB79FF04354F000068EA42A7293DB655D8AC6A4
                              Function 00807E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00807E5F
                                • Part of subcall function 007F6C72: __EH_prolog.LIBCMT ref: 007F6C77
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                                • Part of subcall function 007F757D: GetLastError.KERNEL32(007FD14C), ref: 007F757D
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID:
                              • API String ID: 683690243-0
                              • Opcode ID: a4f0bbd56b760522dfa9f05e3426da2795b514d3db90037313853e4c4511acbb
                              • Instruction ID: 6359ac3592f1a9fa5d08facd07075da14e5e9fa5b1cd6e2ae43b8c3c2201df76
                              • Opcode Fuzzy Hash: a4f0bbd56b760522dfa9f05e3426da2795b514d3db90037313853e4c4511acbb
                              • Instruction Fuzzy Hash: 5301C472A45704DFC725EF78C8929EEBBB1FF45310F10463EE98393692CA346949CA50
                              Function 0083BF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0083BF91
                                • Part of subcall function 0083D144: __EH_prolog.LIBCMT ref: 0083D149
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: acfa7980bb771bcea4c7ae5a90ec50f67b2460dd684e774f227156a1cc959cc0
                              • Instruction ID: f36206b5e7ed692850463597296758e8d8e28e1d6bdea0a0ae0138d9e79c4e52
                              • Opcode Fuzzy Hash: acfa7980bb771bcea4c7ae5a90ec50f67b2460dd684e774f227156a1cc959cc0
                              • Instruction Fuzzy Hash: 22115E71504754DFCB24EFA4C909BDABBF4FF01344F00492CA5A6E3692DBB5AA08CB81
                              Function 0083BDB5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0083BDBA
                                • Part of subcall function 0083BE69: __EH_prolog.LIBCMT ref: 0083BE6E
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 0c5639941a145c3f16f5445f4a515aff4f6af0c97d1e89b95d95c029a49c36da
                              • Instruction ID: cabf4a3d2e8b25d3ce0a9aff9f4d8ef4a59b441c2201284389cfb07e3482a659
                              • Opcode Fuzzy Hash: 0c5639941a145c3f16f5445f4a515aff4f6af0c97d1e89b95d95c029a49c36da
                              • Instruction Fuzzy Hash: CF11E6B5501784CFCB21DF99C588686FBE4FB19304F54C86ED1AA87712D7B0A548CB51
                              Function 007F7AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,007F1AD1,00000000,00000002,00000002,?,007F7B3E,?,00000000), ref: 007F7AFD
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: 6e327f9181902b3b98e427add1e59649051ee48b74c0daea408b0e344aaf7a62
                              • Instruction ID: 3bfa197c6c5a691f099d6a94c2dbe35817cfca03a932f8b6f62398467296d731
                              • Opcode Fuzzy Hash: 6e327f9181902b3b98e427add1e59649051ee48b74c0daea408b0e344aaf7a62
                              • Instruction Fuzzy Hash: DC018F70104248BFDF2A9F54CC09FFA3FA5AB05320F14814DBAA6563E2C6A59E60D754
                              Function 0082ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0082C0B8
                                • Part of subcall function 00817193: __EH_prolog.LIBCMT ref: 00817198
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 07a26fc8c39b214dcaee3e8551fe4a067bf7fa45d23db959c37b5a74e2044934
                              • Instruction ID: e821e76c8b682235a56c3b19796fbd4890ee7e8118ad90ae95ba6699850abd1b
                              • Opcode Fuzzy Hash: 07a26fc8c39b214dcaee3e8551fe4a067bf7fa45d23db959c37b5a74e2044934
                              • Instruction Fuzzy Hash: B6F0B472A04625DBDB25AF99E8417BEF3A9FF54760F10002FE501D7602CBB59C808690
                              Function 0083035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00830364
                                • Part of subcall function 008301C4: __EH_prolog.LIBCMT ref: 008301C9
                                • Part of subcall function 00830143: __EH_prolog.LIBCMT ref: 00830148
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                                • Part of subcall function 008303D8: __EH_prolog.LIBCMT ref: 008303DD
                                • Part of subcall function 0083004A: __EH_prolog.LIBCMT ref: 0083004F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 9c435a09f80d05bdd06101d7219f8b7d59205407195659ef443fbc3bd3f96f77
                              • Instruction ID: e7b44d9db5eae4aed392eef91e6aea4e99f82ab8ab8ac4650e63f61fc11efb58
                              • Opcode Fuzzy Hash: 9c435a09f80d05bdd06101d7219f8b7d59205407195659ef443fbc3bd3f96f77
                              • Instruction Fuzzy Hash: 8EF0F430914A54DBCB19FBBCC8263ADBBE4FF00314F10465DE152A36D2CBB85B048B8A
                              Function 00828565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 4d102183b44998e9caa288b923c14d0b0f482ff94ca2aef6888481ef35ad1bbc
                              • Instruction ID: da68f299bec6bf972c526fb5fb6b7136d23090c5c9a8c786451322ccf65d5252
                              • Opcode Fuzzy Hash: 4d102183b44998e9caa288b923c14d0b0f482ff94ca2aef6888481ef35ad1bbc
                              • Instruction Fuzzy Hash: 05F0A932E1102AEBCF00EF98D8509AFBB74FF88790B00806AF516E7251CB348A05CBD4
                              Function 00835505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0083550A
                                • Part of subcall function 00834E8A: __EH_prolog.LIBCMT ref: 00834E8F
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: b724627ebed1289d421354e9c4482ed9535d74f4b8effe34cf6754fe9ea8d22a
                              • Instruction ID: 38b8642b610052519fbd16fe6de55cdfdb30f4d1df2deea1babbeef698bcbda5
                              • Opcode Fuzzy Hash: b724627ebed1289d421354e9c4482ed9535d74f4b8effe34cf6754fe9ea8d22a
                              • Instruction Fuzzy Hash: 03F06D76600919EBCB019F48D811B9E7BBAFFC5764F10442AF401D7201DB71ED008BE1
                              Function 00819987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 373cd57a497a9e1c99ad4189038fb72d9bc846cdfbeb72f917bb0c979b0959f2
                              • Instruction ID: f3a263baf81e611a76f6f0576af8b9f1f58bb5099ed3b176250aa42243324fbe
                              • Opcode Fuzzy Hash: 373cd57a497a9e1c99ad4189038fb72d9bc846cdfbeb72f917bb0c979b0959f2
                              • Instruction Fuzzy Hash: 98E06D71A00108AFC700EF98D855F9ABBA8FF48364F10841AF00AD7241C7749900CA64
                              Function 00835E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00835E30
                                • Part of subcall function 008308B6: __aulldiv.LIBCMT ref: 0083093F
                                • Part of subcall function 0080DFC9: __EH_prolog.LIBCMT ref: 0080DFCE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$__aulldiv
                              • String ID:
                              • API String ID: 604474441-0
                              • Opcode ID: 54379c3f07a674d0b21a10c5328fd32851de24e3c71cf0efc6659e6fdd9aee1a
                              • Instruction ID: 70849d64c8eb3cdd1de3fc2ad256a370662da6d17ed59069e05d5ff35b0e1425
                              • Opcode Fuzzy Hash: 54379c3f07a674d0b21a10c5328fd32851de24e3c71cf0efc6659e6fdd9aee1a
                              • Instruction Fuzzy Hash: 59E03970E01754DFCB55EFAC955128EB6E4FB08700F00586FA042D3B41DAB4A9008B81
                              Function 00838ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00838ED6
                                • Part of subcall function 00839267: __EH_prolog.LIBCMT ref: 0083926C
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 66fe224fdf672e714c7d9289e6283046a71c2abaac4471010d1d471ab7e88a88
                              • Instruction ID: 040b16ae56fdae9d64c4cb0f0d6b2965680e17821843ab1246455c805f0b739a
                              • Opcode Fuzzy Hash: 66fe224fdf672e714c7d9289e6283046a71c2abaac4471010d1d471ab7e88a88
                              • Instruction Fuzzy Hash: 97E09271920920DACB09EB68D522BDDB7A8FF45704F00065DF053E2582CBF86604C792
                              Function 007F7C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 007F7C8B
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 12e2a222c51da77fe73b21f11c7cd9c28860a1370e3b221394c3786a4adfdbf3
                              • Instruction ID: dfb9d39531309eca7aa9a27dbbd7eb0d81b965b7d935f3348d8e64737bdd6dba
                              • Opcode Fuzzy Hash: 12e2a222c51da77fe73b21f11c7cd9c28860a1370e3b221394c3786a4adfdbf3
                              • Instruction Fuzzy Hash: 58E01A75600209FBCF11CFA5D801B8E7BB9FB09754F20C06AF9199A260D73ADA50DF54
                              Function 0083BE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0083BE6E
                                • Part of subcall function 00835E2B: __EH_prolog.LIBCMT ref: 00835E30
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 9623a664351352bf2c40a2ef4069e044d9534ea4f559fa9f5d52ffd0d92dd29d
                              • Instruction ID: 145ae2750b7ec7e8dade0ca63d98435fcbac0775fddca6c9d35c17f5e606e543
                              • Opcode Fuzzy Hash: 9623a664351352bf2c40a2ef4069e044d9534ea4f559fa9f5d52ffd0d92dd29d
                              • Instruction Fuzzy Hash: 89E09271A24A608BD715FB68C411BDDB7A8FB50314F00885EE096D32C2CFB46A08C7A2
                              Function 007F2201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 401d9003193381eb07d4b2b95a9d775caad4dccf6761b2e69a85b70df2dc41c7
                              • Instruction ID: 77e5b8737c2625d3ac49c8bb37f17a1a680a08b004693bcd86614602b45f7558
                              • Opcode Fuzzy Hash: 401d9003193381eb07d4b2b95a9d775caad4dccf6761b2e69a85b70df2dc41c7
                              • Instruction Fuzzy Hash: C1D0123250411DABCF156F94DC05CDD77BCFF18254B04441BF555E2150EA75E51487A4
                              Function 0082F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0082F74A
                                • Part of subcall function 0082F784: __EH_prolog.LIBCMT ref: 0082F789
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 417f41405dcf0f7e2fb6a3de4219a4cda9351bfc65a16b70597210f0b3978d5d
                              • Instruction ID: 2e36f0e8071f9efa08eab9d69b3edf1474065ee7234f0a8b05fb1b63861f5ce2
                              • Opcode Fuzzy Hash: 417f41405dcf0f7e2fb6a3de4219a4cda9351bfc65a16b70597210f0b3978d5d
                              • Instruction Fuzzy Hash: ABD01271A10254BFDB14AB89D912BAEB778FB40764F10053EF101E1541C3B55900C6A5
                              Function 007F7B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,007F785F,00000000,00004000,00000000,00000002,?,?,?), ref: 007F7B65
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: cc410322b2eabd8548a1bc0eb281b3a299f003e2b0e8ef567bbe2770bd5eb4c1
                              • Instruction ID: cabea5626d1eef0727a05f0ff1c62687b0c018a4cbb5d0acc3f6108cdbea0626
                              • Opcode Fuzzy Hash: cc410322b2eabd8548a1bc0eb281b3a299f003e2b0e8ef567bbe2770bd5eb4c1
                              • Instruction Fuzzy Hash: 9AE0EC75200208FBDF01CF90CD01F8E7BB9BB49758F208059F90596160C376AA54EB54
                              Function 008480AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 008480AF
                                • Part of subcall function 007F1E0C: malloc.MSVCRT ref: 007F1E1F
                                • Part of subcall function 007F1E0C: _CxxThrowException.MSVCRT(?,008A4B28), ref: 007F1E39
                                • Part of subcall function 0083BDB5: __EH_prolog.LIBCMT ref: 0083BDBA
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 8bb1550409a789e0fe2e3876f6a1322ad167daf8d2d5f0ca1411a18d29cc707a
                              • Instruction ID: a77e853434de01047ac3d6c068e73a7c9fb9f365f8408198d398c1605746b05b
                              • Opcode Fuzzy Hash: 8bb1550409a789e0fe2e3876f6a1322ad167daf8d2d5f0ca1411a18d29cc707a
                              • Instruction Fuzzy Hash: CAD01771A01505AECB08FBB8982666E72A0FB84300F00457DA116E2781EF7489008A55
                              Function 007F6848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • FindClose.KERNELBASE(00000000,?,007F6880), ref: 007F6853
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: d7f86086be51e60aabdb27ab3851335e50ce8966c9f2c54e764d60ea539b03a4
                              • Instruction ID: 3f2d88157e9d299ee1198ab0bdb2ba923f3d0195a8ecde5127f4b39ca2d2c4df
                              • Opcode Fuzzy Hash: d7f86086be51e60aabdb27ab3851335e50ce8966c9f2c54e764d60ea539b03a4
                              • Instruction Fuzzy Hash: 56D01231104221868A646E3D78449E537D86E06374325075EF0B0C32E1D7668C835750
                              Function 007F2010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: a3cd203144c045ef69b8029ca038ad2b0e1cdfe696409927b178405f4c38941e
                              • Instruction ID: dee20abbfe6a9f628b6c8a3f37e766dc32200a1fc71af52fc168ccbab03cc6de
                              • Opcode Fuzzy Hash: a3cd203144c045ef69b8029ca038ad2b0e1cdfe696409927b178405f4c38941e
                              • Instruction Fuzzy Hash: 5CD0C93700C251AF96256F05EC09C8BBBA5FFD5320725082FF484921619B626C25DAA4
                              Function 007F1FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: 35c6e246f1daec7d7fa296f876a09b0f7f23e438cb8e9bd962f91f409713bfb8
                              • Instruction ID: a9700f2757d25a7ae2ed3e17bc5a463b69a276734806767cc6e3ac4b7ceda1c0
                              • Opcode Fuzzy Hash: 35c6e246f1daec7d7fa296f876a09b0f7f23e438cb8e9bd962f91f409713bfb8
                              • Instruction Fuzzy Hash: 32B092323082209BE6182A9CBC0AAC07794EB09732B25005BF544C21909A921C814A99
                              Function 007F7C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,007F7C65,00000000,00000000,?,007FF238,?,?,?,?), ref: 007F7C49
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: b71336bc9c45871c213e24d90926ee984a4803fca297cd56fe32aac61d41fc5a
                              • Instruction ID: 6707aa379360f028ca7cfd5c315bcdcecab6cd5727c07e21e47c62431b82fb3c
                              • Opcode Fuzzy Hash: b71336bc9c45871c213e24d90926ee984a4803fca297cd56fe32aac61d41fc5a
                              • Instruction Fuzzy Hash: 11C04C36158105FF8F025F70CC04C1ABBA2BBA5711F10C919F15AC4070C7338024EB16
                              Function 007F7D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetEndOfFile.KERNELBASE(?,007F7D81,?,?,?), ref: 007F7D3E
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: File
                              • String ID:
                              • API String ID: 749574446-0
                              • Opcode ID: 0ee96e49c1c1759577738a2f03900536787247cab98738a460c046de02bcf677
                              • Instruction ID: f5f11888c86f4f6d29753dc674ff9a342151afd52fbbfe4fc77cffb8734cd352
                              • Opcode Fuzzy Hash: 0ee96e49c1c1759577738a2f03900536787247cab98738a460c046de02bcf677
                              • Instruction Fuzzy Hash: DDA002702E511B8FCF112F34DC098243AA1BB537077A427A5B003CA4F5DF234419AA05
                              Function 007FC4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: ea766bbac354886c059e9840de4c004b0dd3e73070ca857bbfe0365882e25ddf
                              • Instruction ID: f1d8234add680d148bb8c22f91f8c9073b9f5703151cb280563b2dbe14ae7344
                              • Opcode Fuzzy Hash: ea766bbac354886c059e9840de4c004b0dd3e73070ca857bbfe0365882e25ddf
                              • Instruction Fuzzy Hash: 4B813E71D0424D9FDF16CFA8C684AFEBBB5AF48304F248469D611A7341D779AA84CF60
                              Function 00803E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,00000000,00803D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00803E12
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: a432ed6e834549ae9f3a2c989c7230fbaebb55746f4eb0e6b96a48e4886aa371
                              • Instruction ID: 7b79ae49657f1bda40c3b91927c3730ca0a916396d38818aad737487f6de7164
                              • Opcode Fuzzy Hash: a432ed6e834549ae9f3a2c989c7230fbaebb55746f4eb0e6b96a48e4886aa371
                              • Instruction Fuzzy Hash: 66D0123151421147DBB05E2DFC047D173DDBF10321B15455AF880DB190E765CCC25A54
                              Function 00876BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction ID: fee5cf5016a031f26959e3a008eaf390b0082bb8843691beba2ff7362e4b652e
                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction Fuzzy Hash: 24D0237020390501CF4846304C0971B3084FF41326F18CC7CE817CB585F714C2388244
                              Function 007F764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,?,007F75AF,00000002,?,00000000,00000000), ref: 007F7657
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 1fb79d8a2a8292f43b5d1280dcd2cb1134507bd80c51d5a620ba35f063af1ac6
                              • Instruction ID: 60b66684b851836b955e413912256a2fef3e6e917b02a5da0c7eb7298a7be213
                              • Opcode Fuzzy Hash: 1fb79d8a2a8292f43b5d1280dcd2cb1134507bd80c51d5a620ba35f063af1ac6
                              • Instruction Fuzzy Hash: 49D01231108622868A686E3CBC459D233E86A12334365475AF0B1C73F1D3658C838654
                              Function 00876B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000), ref: 00876B31
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 8947123360642f30d1e5b7b9248c73d54ff3a64674dfcbe4d623fe8d35f0c60e
                              • Instruction ID: 38014814f4c307a0e7d26ed939ee69f98ca341fe4771a6d04de7cb40f25a4858
                              • Opcode Fuzzy Hash: 8947123360642f30d1e5b7b9248c73d54ff3a64674dfcbe4d623fe8d35f0c60e
                              • Instruction Fuzzy Hash: C3C08CE1A4D280DFDF0223108C407603B209B83300F0A00C2E4045B092C2051808C722
                              Function 008769D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction ID: a94180b15de9dad1744486a24cfcd8680e848036ac422eeb8cc0a5c567442568
                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction Fuzzy Hash: 8CA024C551104001DD1C33343C015173000F7503077C044FC7705C0107F715C1141007
                              Function 00876AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction ID: f3ce641f87c8500108a0c3e6f742b38af10238ebe6e40f708b69a8de4692268d
                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction Fuzzy Hash: 61A011CCE0000002AE08223838028A32022FAE0A0ABE8C8B8BA08C020AFA28C0282003
                              Function 00876BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00876BAC
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: 62076f9ffcc1ea994f58f0bd6be9c317bc77afa8de585c5ad84d812de1485a62
                              • Instruction ID: bb04d21039fb4728fb746dbbff19d68158eb5b3440709704bf94fabf0b9475a2
                              • Opcode Fuzzy Hash: 62076f9ffcc1ea994f58f0bd6be9c317bc77afa8de585c5ad84d812de1485a62
                              • Instruction Fuzzy Hash: E2A00278680B40B7ED6077316D4FF5937247781F05F7485457241690D05AE570549A5C
                              Function 008769F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction ID: c5dd30a39289226ccffb2fcf7d6677761fc5dae0930d1937f0be485000b6e731
                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction Fuzzy Hash:
                              Function 00876B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction ID: 8c6d5225a8afdccac21b5755a1728f3bc66622148c626952eb0d29e4ab18704e
                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction Fuzzy Hash:
                              Function 007F1E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 047c11e495ed4181b3eb55fc81fc6ce21b3f0c8fd1156b1af31cd55dd67b04ac
                              • Instruction ID: 64e132f40e27b1d9fd033df50dd3073233dfd6ab2f2decce50c26a2db8031402
                              • Opcode Fuzzy Hash: 047c11e495ed4181b3eb55fc81fc6ce21b3f0c8fd1156b1af31cd55dd67b04ac
                              • Instruction Fuzzy Hash: 81A00271405101DBDA052B10EE094897B61FB85627B25445BF057504718B324860BA05

                              Non-executed Functions

                              Function 00890090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: Version
                              • String ID:
                              • API String ID: 1889659487-0
                              • Opcode ID: e9039892e56679aae7944eb6acb4a453d6229d58f7621fcc73fc57549a5418cc
                              • Instruction ID: 978c1a1df37212850fd46144d08882df85af8e922639b1c91a34daf0d1eeab90
                              • Opcode Fuzzy Hash: e9039892e56679aae7944eb6acb4a453d6229d58f7621fcc73fc57549a5418cc
                              • Instruction Fuzzy Hash: E9D012729118154BDB00762CCC062597765F760300FCC0954D865C1153F96AC6558A93
                              Function 007FC085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,008A48A0,00000010), ref: 007FC09E
                              • memcmp.MSVCRT(?,008A0258,00000010), ref: 007FC0BB
                              • memcmp.MSVCRT(?,008A0348,00000010), ref: 007FC0CE
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 948fc9802f91bc428f83784b24f1153a1b5eb0b1907fff7bc489ffd188573c2d
                              • Instruction ID: 5ee9b78f8a92e3427acaf856ba44758ba636b166bed7b245816a4d85521fe0c7
                              • Opcode Fuzzy Hash: 948fc9802f91bc428f83784b24f1153a1b5eb0b1907fff7bc489ffd188573c2d
                              • Instruction Fuzzy Hash: 3D91737164061CABE7619A25CD41FBB33A8FF65750F048028FE4AD7702F728AE14CB92
                              Function 0085447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                              • API String ID: 3519838083-1909666238
                              • Opcode ID: 308952dc27874cf2ab11ac1bc54e800eae965664b8379de16ec47d1fd936d456
                              • Instruction ID: f917df30c828cb76c65fcdfa5ed6a053220c19cb96686c4414a60f107de37ac6
                              • Opcode Fuzzy Hash: 308952dc27874cf2ab11ac1bc54e800eae965664b8379de16ec47d1fd936d456
                              • Instruction Fuzzy Hash: 81C1E031900289EFDB14DF64C455ABD7BA1FB0130AF1990B9E9499B262DB349ECDDB40
                              Function 007F64F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F64F8
                              • GetCurrentThreadId.KERNEL32 ref: 007F6508
                              • GetTickCount.KERNEL32 ref: 007F6513
                              • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 007F651E
                              • GetTickCount.KERNEL32 ref: 007F6578
                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 007F65C5
                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 007F65EC
                                • Part of subcall function 007F5D7A: __EH_prolog.LIBCMT ref: 007F5D7F
                                • Part of subcall function 007F5D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 007F5DA1
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                              • String ID: .tmp$d
                              • API String ID: 1989517917-2797371523
                              • Opcode ID: 7904c0ed02c676ff934541a4f01965c3a966c07943fb41d33832dc8262684f52
                              • Instruction ID: 9b682cbc1e56125839ab908fd40057f73e846d2b39d7c195b4312737e5a9b409
                              • Opcode Fuzzy Hash: 7904c0ed02c676ff934541a4f01965c3a966c07943fb41d33832dc8262684f52
                              • Instruction Fuzzy Hash: F041CD32A14128DBDF15ABA0D8597FD7BB1FF55355F14012AE612B73A2CB3D8910CB21
                              Function 008285C6 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                              • API String ID: 1795875747-657955069
                              • Opcode ID: e1a8631359f42e87df56d0ed749920b9061d063a1c7f7d9c6768a7716b3e7744
                              • Instruction ID: d8e920e681a888a49449d1f9381bc87e2e2dff7255be3f8c7f90bf1041646406
                              • Opcode Fuzzy Hash: e1a8631359f42e87df56d0ed749920b9061d063a1c7f7d9c6768a7716b3e7744
                              • Instruction Fuzzy Hash: 8CF0E232605219BBCE1477946C84D2EFF59EF86360B280027FB04C3342EF2618608EA5
                              Function 00826244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs
                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                              • API String ID: 1798449854-1259944392
                              • Opcode ID: 75355e98edcba2d703a6289d06126ff3f8ebfacae38f8c0a7eb5ffec0ce41016
                              • Instruction ID: 5b95bad592fe30ec9c10a8ed4f1e7db9f70ecfb65e043fce3472d215e1c7c561
                              • Opcode Fuzzy Hash: 75355e98edcba2d703a6289d06126ff3f8ebfacae38f8c0a7eb5ffec0ce41016
                              • Instruction Fuzzy Hash: 17217131A00619DFCB09EB98D946ABEB3A4FF64310F54002AE702D7792DB74AD568B81
                              Function 007FA08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007FA091
                                • Part of subcall function 007F9BAA: RegCloseKey.ADVAPI32(?,?,007F9BA0), ref: 007F9BB6
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CloseH_prolog
                              • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                              • API String ID: 1579395594-270022386
                              • Opcode ID: d0873a643f093d15ddb436d092c90d7424aba59083916ad71c308c94b9ea0a88
                              • Instruction ID: 5b89855a3227ec0b249d8f4288cc8d71760aaa9661cda937e057e230973e858c
                              • Opcode Fuzzy Hash: d0873a643f093d15ddb436d092c90d7424aba59083916ad71c308c94b9ea0a88
                              • Instruction Fuzzy Hash: AC518FB1A0020DEFCF11EF98C8959BEB7B5FF58340F504429E626A7341DB78A905CB52
                              Function 008246CF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59timeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 008246D4
                              • EnterCriticalSection.KERNEL32(008B2918), ref: 008246E8
                              • CompareFileTime.KERNEL32(?,?), ref: 00824712
                              • LeaveCriticalSection.KERNEL32(008B2918), ref: 0082476A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CompareEnterFileH_prologLeaveTime
                              • String ID: v
                              • API String ID: 3800395459-3261393531
                              • Opcode ID: 08f38c1327cfa1125e462ac077cfca86abb1c692f861f7dcf19005856738405b
                              • Instruction ID: 38046837d70fff4cb272bcf8b5e3c44db84703501bc2b1a79ab3486219897bc5
                              • Opcode Fuzzy Hash: 08f38c1327cfa1125e462ac077cfca86abb1c692f861f7dcf19005856738405b
                              • Instruction Fuzzy Hash: FF21CD71500609EFDB21DF68E488B9ABBF4FF41304F14841AE96AC7611D734FA88CBA0
                              Function 008503D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 008503F5
                              • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 00850490
                              • memset.MSVCRT ref: 00850618
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: memset$memcpy
                              • String ID: $@
                              • API String ID: 368790112-1077428164
                              • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction ID: f765ae7c06a9180610244a68f4d3d0d038d6961ec32a9846c33fca050a58cfa0
                              • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction Fuzzy Hash: 9C91C131900309AFDB20DF64C841BDAB7B1FF54305F048859E99AA7192D770BA9DCF81
                              Function 007F613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F6141
                                • Part of subcall function 007F6C72: __EH_prolog.LIBCMT ref: 007F6C77
                              • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 007F6197
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 007F626E
                              • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 007F62A9
                                • Part of subcall function 007F6096: __EH_prolog.LIBCMT ref: 007F609B
                                • Part of subcall function 007F6096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 007F60DF
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 007F6285
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$H_prolog$DeleteFile
                              • String ID:
                              • API String ID: 3586524497-0
                              • Opcode ID: 2c67e7346126eff855befd2158ef1d180daa800610f04ec537edbf1ac5391657
                              • Instruction ID: 56c48f8f7e0ac9e85358ffee4a03ee33f7314ea9fd8e5ea8efdc09ae942d1416
                              • Opcode Fuzzy Hash: 2c67e7346126eff855befd2158ef1d180daa800610f04ec537edbf1ac5391657
                              • Instruction Fuzzy Hash: 3C51A931C0421CEADF15EBE8D859BFDBB74BF11350F104169EA51B3292DB396A0ACB61
                              Function 008044C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,008A48A0,00000010), ref: 008044DB
                              • memcmp.MSVCRT(?,008A0128,00000010), ref: 008044EE
                              • memcmp.MSVCRT(?,008A0228,00000010), ref: 0080450B
                              • memcmp.MSVCRT(?,008A0248,00000010), ref: 00804528
                              • memcmp.MSVCRT(?,008A01C8,00000010), ref: 00804545
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: f02d35ed57c5aad3131fb26d76232e01fa17707ddc39efae5c53a3e99fa91a1f
                              • Instruction ID: 6ddc1d18e5fdc515309c08a13c41273dd29bf72471c157af5d4496f1dbf1d9a1
                              • Opcode Fuzzy Hash: f02d35ed57c5aad3131fb26d76232e01fa17707ddc39efae5c53a3e99fa91a1f
                              • Instruction Fuzzy Hash: 942183B17802086BE754AE149C82F7E33A9FB557A4B108139FF05DA286F664DE008791
                              Function 0083C414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: !$LZMA2:$LZMA:
                              • API String ID: 3519838083-3332058968
                              • Opcode ID: 7c97c63ae9c6d9c58be689be6d42fd89d03e3bee0280730cc29f8d0e2345680f
                              • Instruction ID: 503b768f71a7b9170e172253875177a78392198bed20aacc300a3a9c4f1580c4
                              • Opcode Fuzzy Hash: 7c97c63ae9c6d9c58be689be6d42fd89d03e3bee0280730cc29f8d0e2345680f
                              • Instruction Fuzzy Hash: 1C61DC7090410AEEDB25DB64C45ABFD7BA1FFA5344F1440A9E506F7262EB74AE80CB80
                              Function 007FA384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007FA389
                                • Part of subcall function 007FA4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,007FA3C1,00000001), ref: 007FA4CD
                                • Part of subcall function 007FA4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 007FA4DD
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AddressH_prologHandleModuleProc
                              • String ID: : $ SP:$Windows
                              • API String ID: 786088110-3655538264
                              • Opcode ID: a5338714f43502d14f9ed104e48877aba181b1c60a12e060013a73fc85bd9d86
                              • Instruction ID: 651bf84ebed2cfeaf3f8d2edc42b0fa05a40bb4a1b1601d603e0fb63a33b32f1
                              • Opcode Fuzzy Hash: a5338714f43502d14f9ed104e48877aba181b1c60a12e060013a73fc85bd9d86
                              • Instruction Fuzzy Hash: 7731EC7190011DEACF15FBE4C85A9FDBBB4BF14340F404069E70673292DB796A86DAA1
                              Function 00826025 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0082602A
                              • EnterCriticalSection.KERNEL32(008B2938), ref: 00826044
                              • LeaveCriticalSection.KERNEL32(008B2938), ref: 00826060
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID: v
                              • API String ID: 367238759-3261393531
                              • Opcode ID: 714d5f930893bda7446123657b0ce4d054fbfafa1ad459cfbd6bb3fd9a1fe6b6
                              • Instruction ID: 887babde028fe8036daae262380252e56a4712d0586f123c939cdfa62aa2e4ff
                              • Opcode Fuzzy Hash: 714d5f930893bda7446123657b0ce4d054fbfafa1ad459cfbd6bb3fd9a1fe6b6
                              • Instruction Fuzzy Hash: 84F09A36910114EFC701EF98D809EDEBBB8FF45360F14806AF405E7211C7B59A04CBA0
                              Function 007FA4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,007FA3C1,00000001), ref: 007FA4CD
                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 007FA4DD
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-1489217083
                              • Opcode ID: 1ec6563e375015ddbebafbdab2ca988ff9eafe8c511d32d74aec95f2459ac5f7
                              • Instruction ID: e6703534c1f1d0c262fcd041741c546e1a19a92ac5a0ba00e97e24f9e2110a89
                              • Opcode Fuzzy Hash: 1ec6563e375015ddbebafbdab2ca988ff9eafe8c511d32d74aec95f2459ac5f7
                              • Instruction Fuzzy Hash: 82D0A7713542102BBA2077B87C4EBF6264CFB80B5070A4413F800C0140E6CD9D8201AA
                              Function 00810306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00810359
                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00810382
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 008103DA
                              • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 008103F0
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ErrorFileLastSecurity
                              • String ID:
                              • API String ID: 555121230-0
                              • Opcode ID: 2984dd46f63cceb02549856f6f536b341fcfe806bccef30e25dd9b7134da05b6
                              • Instruction ID: 77a09b01ecb73b95c55329febe0961bff535227fa0716c70318bafc3aeecdc58
                              • Opcode Fuzzy Hash: 2984dd46f63cceb02549856f6f536b341fcfe806bccef30e25dd9b7134da05b6
                              • Instruction Fuzzy Hash: 66310274900209EFDB10DFA8C884BAEBBB9FF44304F148959E566D7351D7B1AA81DF60
                              Function 007F82FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007F8300
                              • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 007F834F
                              • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 007F837C
                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 007F839B
                                • Part of subcall function 007F1E40: free.MSVCRT ref: 007F1E44
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                              • String ID:
                              • API String ID: 1689166341-0
                              • Opcode ID: 56d5e017a90c1b448987c41d558d25090bedfa8de4009f858d5e6667a9b3f608
                              • Instruction ID: adbf755cafed659c4beb6df40e23dbb251ea2f1cc49a03e45eab011370d27946
                              • Opcode Fuzzy Hash: 56d5e017a90c1b448987c41d558d25090bedfa8de4009f858d5e6667a9b3f608
                              • Instruction Fuzzy Hash: F321A176500108EFDF11AF94DC85AEE7BB9EF55750F24002EFA05A6351CA364E04C665
                              Function 008360D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: BlockPackSize$BlockUnpackSize
                              • API String ID: 3519838083-5494122
                              • Opcode ID: c093eabbcbe71487c84f4fe3cd5b99ab3d5c3009e2357d8686c3077f6e275c5e
                              • Instruction ID: 4178a648e1d68677d1416b1a811a5aad75ac675058191e17b93cc5af2251299d
                              • Opcode Fuzzy Hash: c093eabbcbe71487c84f4fe3cd5b99ab3d5c3009e2357d8686c3077f6e275c5e
                              • Instruction Fuzzy Hash: C351D531800589BEDF398BACC4A4AFE7BA1FF96300F1AC05ED156D3196F62159A8D781
                              Function 007FA4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 007FA4F8
                                • Part of subcall function 007FA384: __EH_prolog.LIBCMT ref: 007FA389
                                • Part of subcall function 007F9E14: GetSystemInfo.KERNEL32(?), ref: 007F9E36
                                • Part of subcall function 007F9E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 007F9E50
                                • Part of subcall function 007F9E14: GetProcAddress.KERNEL32(00000000), ref: 007F9E57
                              • strcmp.MSVCRT ref: 007FA564
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                              • String ID: -
                              • API String ID: 2798778560-3695764949
                              • Opcode ID: b50c9a2697ca6fd9ab3d7fa9b2ddf2b4b3588b7af1bba2793886c91bdf2db5cd
                              • Instruction ID: b1a97d6e2af21e038e6274184d72dfbc9ec2cc3050195ee0aede835d02bf8989
                              • Opcode Fuzzy Hash: b50c9a2697ca6fd9ab3d7fa9b2ddf2b4b3588b7af1bba2793886c91bdf2db5cd
                              • Instruction Fuzzy Hash: F4315771D0020DEACF15FBE4D85A9FDBB75BF54310F50402AF601B2292DB395A5ACA62
                              Function 00826184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$x
                              • API String ID: 3519838083-1948001322
                              • Opcode ID: 979757c0805e2749498d3847176fcae4f83bf313a53364f0be154ccfa155c679
                              • Instruction ID: c870fca3de65ef5e9086651a16b35541c86c7424dd78e6788acd88d81560f916
                              • Opcode Fuzzy Hash: 979757c0805e2749498d3847176fcae4f83bf313a53364f0be154ccfa155c679
                              • Instruction Fuzzy Hash: BD213836D0112DDBCF08EBD8D995AEDB7B5FF48304F14006AEA01B6242DB796E55CBA0
                              Function 00828685 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cannot open encrypted archive. Wrong password?, xrefs: 00828698
                              • Cannot open the file as archive, xrefs: 008286D0
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                              • API String ID: 1795875747-1623556331
                              • Opcode ID: e2e5459f8c1ade80d43863687ac1d5243f0f4ccd85417634eab72d2f8b145c43
                              • Instruction ID: 966041adc8e2cad8c2c3a976156214487011e92e6202beaa58d1516d3601c03f
                              • Opcode Fuzzy Hash: e2e5459f8c1ade80d43863687ac1d5243f0f4ccd85417634eab72d2f8b145c43
                              • Instruction Fuzzy Hash: E701A231306210DBCE08E694E899A7EB3E7FFC8304F58441AF602C3786DF79A8418B15
                              Function 008282DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: =
                              • API String ID: 1795875747-2525689732
                              • Opcode ID: 53fb0594e254c7258243c887e1f17a3645057350521c1b154fec64464bc9abf4
                              • Instruction ID: 28a3296956982c4d7b44ff85c982f223995966050531171b915895702c0db6ce
                              • Opcode Fuzzy Hash: 53fb0594e254c7258243c887e1f17a3645057350521c1b154fec64464bc9abf4
                              • Instruction Fuzzy Hash: 86E0DF31A00128EBCF00FBE8AC458BE7F69FB80364B480823E521D7341EA709921CBE4
                              Function 008541C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,008A48A0,00000010), ref: 008541D6
                              • memcmp.MSVCRT(?,008A0168,00000010), ref: 008541F1
                              • memcmp.MSVCRT(?,008A01E8,00000010), ref: 00854205
                              Memory Dump Source
                              • Source File: 0000000A.00000002.1812069694.00000000007F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 007F0000, based on PE: true
                              • Associated: 0000000A.00000002.1812039444.00000000007F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812148811.000000000089C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812187040.00000000008B2000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000A.00000002.1812229830.00000000008BB000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_10_2_7f0000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 897e7f6713c073f7d464144c5ce085119c0b31dc07e3efa3951f99ea97620eed
                              • Instruction ID: f95e7d43e30754b05a24eaf4f1170093216e6eedf0146a80e9dcf865042bec6b
                              • Opcode Fuzzy Hash: 897e7f6713c073f7d464144c5ce085119c0b31dc07e3efa3951f99ea97620eed
                              • Instruction Fuzzy Hash: 400104313802186BEB106A14CC42FBD77A4FB65755F048439FE45DB282F2B8AAA48741