Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe

Overview

General Information

Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
renamed because original name is a hash value
Original sample name:_1.1.6.exe
Analysis ID:1580553
MD5:1892cf920ffe70868b967804d9222b14
SHA1:2b2a0a6bbd472bf5aee0fb476d4ddd07f0c234dd
SHA256:459794c80f6ede491eefd8c6eabf5abe8cbd29a4d224e35072b38af2610f07d0
Tags:exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe (PID: 6824 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" MD5: 1892CF920FFE70868B967804D9222B14)
    • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" MD5: F71908CEAB1076D5D4250CBFCB02E6B2)
      • powershell.exe (PID: 6908 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 4180 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT MD5: 1892CF920FFE70868B967804D9222B14)
        • #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp (PID: 5324 cmdline: "C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$20428,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT MD5: F71908CEAB1076D5D4250CBFCB02E6B2)
          • 7zr.exe (PID: 2692 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • 7zr.exe (PID: 2108 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)
            • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 2132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • sc.exe (PID: 1700 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
              • conhost.exe (PID: 4584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 2132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cmd.exe (PID: 3688 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 3336 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6808 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2080 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5868 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6232 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6324 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5696 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5816 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6556 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6212 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7012 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1900 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6968 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6928 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7164 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6804 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7012 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5460 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6968 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6232 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2844 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2260 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 3336 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • Conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 3336 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5228 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7016 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6020 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6232 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2476 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 2488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2896 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1456 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6312 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 6328 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 7108 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5776 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 6904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 416 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5904 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 1900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 1456 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2312 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 5236 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2800 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 2308 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 416 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • sc.exe (PID: 5672 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 2912 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ParentProcessId: 6848, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6908, ProcessName: powershell.exe
Sigma detected: New Kernel Driver Via SC.EXE
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3688, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3336, ProcessName: sc.exe
Sigma detected: Powershell Defender Exclusion
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ParentProcessId: 6848, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6908, ProcessName: powershell.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 3688, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 3336, ProcessName: sc.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ParentProcessId: 6848, ParentProcessName: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 6908, ProcessName: powershell.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Windows NT\hrsw.vbcVirustotal: Detection: 37%Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\update.vbcReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\update.vbcReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeVirustotal: Detection: 11%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.5% probability
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1750756154.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1750545180.0000000003430000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C9FE090 FindFirstFileA,FindClose,FindClose,5_2_6C9FE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00266868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00266868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00267496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00267496
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, update.vbc.1.dr, update.vbc.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1689103122.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1688660591.0000000002790000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1691242631.0000000000481000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000000.1715050480.000000000093D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1689103122.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1688660591.0000000002790000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1691242631.0000000000481000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000000.1715050480.000000000093D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: 01 00 00 00 Jump to behavior

System Summary

barindex
PE file contains section with special chars
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C883886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883886
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA08810 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,5_2_6CA08810
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C883C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883C62
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA09450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6CA09450
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C883D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883D18
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C883D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883D62
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C8839CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C8839CF
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C883A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,5_2_6C883A6A
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C881950: CreateFileA,DeviceIoControl,CloseHandle,5_2_6C881950
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C884754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,5_2_6C884754
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C8847545_2_6C884754
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CBE8D125_2_6CBE8D12
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CB54F0A5_2_6CB54F0A
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CB738815_2_6CB73881
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA048605_2_6CA04860
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CBDB06F5_2_6CBDB06F
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA0A1335_2_6CA0A133
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CB17A465_2_6CB17A46
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CB8CB305_2_6CB8CB30
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA69CE05_2_6CA69CE0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB6D505_2_6CAB6D50
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA3BEA15_2_6CA3BEA1
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CABCE805_2_6CABCE80
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA55EC95_2_6CA55EC9
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB18105_2_6CAB1810
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CABC9F05_2_6CABC9F0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CACD9305_2_6CACD930
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA3B9725_2_6CA3B972
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB4AA05_2_6CAB4AA0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAC7AA05_2_6CAC7AA0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB0AD05_2_6CAB0AD0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB2A505_2_6CAB2A50
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA43BCA5_2_6CA43BCA
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA53B665_2_6CA53B66
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA5840A5_2_6CA5840A
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB55805_2_6CAB5580
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAC25C05_2_6CAC25C0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CABC6E05_2_6CABC6E0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA3F7CF5_2_6CA3F7CF
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CADC7005_2_6CADC700
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAB30205_2_6CAB3020
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAC67505_2_6CAC6750
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002A81EC9_2_002A81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0027E00A9_2_0027E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E81C09_2_002E81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F82409_2_002F8240
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E22E09_2_002E22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_003023009_2_00302300
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FC3C09_2_002FC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002CE49F9_2_002CE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F04C89_2_002F04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E25F09_2_002E25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002D86509_2_002D8650
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DA6A09_2_002DA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002D66D09_2_002D66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002B09439_2_002B0943
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DC9509_2_002DC950
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FE9909_2_002FE990
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E2A809_2_002E2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002BAB119_2_002BAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002D8C209_2_002D8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E6CE09_2_002E6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F0E009_2_002F0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F4EA09_2_002F4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002C10AC9_2_002C10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002ED0899_2_002ED089
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002CB1219_2_002CB121
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F11209_2_002F1120
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DB1809_2_002DB180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E51809_2_002E5180
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F91C09_2_002F91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DD1D09_2_002DD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F72009_2_002F7200
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FD2C09_2_002FD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002EF3A09_2_002EF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0028B3E49_2_0028B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002C53F39_2_002C53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002653CF9_2_002653CF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FF3C09_2_002FF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002EF4209_2_002EF420
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002D74109_2_002D7410
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FD4709_2_002FD470
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002AD4969_2_002AD496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F54D09_2_002F54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F35309_2_002F3530
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0030351A9_2_0030351A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DF5009_2_002DF500
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002615729_2_00261572
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F15509_2_002F1550
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FF5999_2_002FF599
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_003036019_2_00303601
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002B96529_2_002B9652
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002ED6A09_2_002ED6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002797669_2_00279766
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002697CA9_2_002697CA
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002F77C09_2_002F77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0028F8E09_2_0028F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DF9109_2_002DF910
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FD9E09_2_002FD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00261AA19_2_00261AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002B3AEF9_2_002B3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E7AF09_2_002E7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0027BAC99_2_0027BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E7C509_2_002E7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0027BC929_2_0027BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002DFDF09_2_002DFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E5E809_2_002E5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E5F809_2_002E5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: String function: 6CAD9F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: String function: 6CA3C240 appears 31 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 00261E40 appears 84 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002628E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: String function: 002FFB10 appears 720 times
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.drStatic PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1688660591.00000000028AE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1689103122.000000007F15A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000000.1686440138.0000000000859000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeBinary or memory string: OriginalFileNameWYrCKz9k4wnV.exe vs #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.drBinary string: \Device\TfSysMon
Source: tProtect.dll.11.drBinary string: \Device\TfKbMonPWLCache
Source: classification engineClassification label: mal96.evad.winEXE@144/31@0/0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA09450 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,5_2_6CA09450
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00269313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,9_2_00269313
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00273D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,9_2_00273D66
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00269252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,9_2_00269252
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA08930 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW,5_2_6CA08930
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\is-BD2QT.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2912:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6256:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3336:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2488:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2896:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4584:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1216:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6328:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1396:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmpJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeVirustotal: Detection: 11%
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile read: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$20428,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp "C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$20428,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9ialdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic file information: File size 9897435 > 1048576
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1750756154.00000000024E0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1750545180.0000000003430000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_002E57D0
Source: update.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: real checksum: 0x0 should be: 0x97533d
Source: update.vbc.1.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: real checksum: 0x0 should be: 0x343a62
Source: tProtect.dll.11.drStatic PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.drStatic PE information: real checksum: 0x0 should be: 0x3789ec
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x343a62
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeStatic PE information: section name: .didata
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drStatic PE information: section name: .didata
Source: update.vbc.1.drStatic PE information: section name: .00cfg
Source: update.vbc.1.drStatic PE information: section name: .voltbl
Source: update.vbc.1.drStatic PE information: section name: .aQ#
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.drStatic PE information: section name: .didata
Source: 7zr.exe.5.drStatic PE information: section name: .sxdata
Source: hrsw.vbc.5.drStatic PE information: section name: .00cfg
Source: hrsw.vbc.5.drStatic PE information: section name: .voltbl
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ#
Source: update.vbc.5.drStatic PE information: section name: .00cfg
Source: update.vbc.5.drStatic PE information: section name: .voltbl
Source: update.vbc.5.drStatic PE information: section name: .aQ#
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA0BDDB push ecx; ret 5_2_6CA0BDEE
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C8B0F00 push ss; retn 0001h5_2_6C8B0F0A
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CAD9F10 push eax; ret 5_2_6CAD9F2E
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA3E9F4 push 004AC35Ch; ret 5_2_6CA3EA0E
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CADA290 push eax; ret 5_2_6CADA2BE
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002645F4 push 0030C35Ch; ret 9_2_0026460E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FFB10 push eax; ret 9_2_002FFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002FFE90 push eax; ret 9_2_002FFEBE
Source: update.vbc.1.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: hrsw.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: update.vbc.5.drStatic PE information: section name: .aQ# entropy: 7.189081398239323
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeFile created: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeFile created: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\7zr.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\update.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpFile created: C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\update.vbcJump to dropped file
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6096Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3587Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow / User API: threadDelayed 651Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow / User API: threadDelayed 605Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpWindow / User API: threadDelayed 583Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbcJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeDropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\update.vbcJump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exeAPI coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5904Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C9FE090 FindFirstFileA,FindClose,FindClose,5_2_6C9FE090
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00266868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,9_2_00266868
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00267496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,9_2_00267496
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00269C60 GetSystemInfo,9_2_00269C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000002.1719896330.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000002.1719896330.00000000015FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6C883886 NtSetInformationThread 00000000,00000011,00000000,000000005_2_6C883886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA13871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CA13871
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_002E57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,9_2_002E57D0
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA1D425 mov eax, dword ptr fs:[00000030h]5_2_6CA1D425
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA1D456 mov eax, dword ptr fs:[00000030h]5_2_6CA1D456
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA1286D mov eax, dword ptr fs:[00000030h]5_2_6CA1286D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA13871 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6CA13871
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CA0C3AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6CA0C3AD

HIPS / PFW / Operating System Protection Evasion

barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.11.drStatic PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpProcess created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= autoJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoarJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmpCode function: 5_2_6CADA720 cpuid 5_2_6CADA720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_0026AB2A GetSystemTimeAsFileTime,9_2_0026AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exeCode function: 9_2_00300090 GetVersion,9_2_00300090

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Access Token Manipulation		11
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Windows Service		1
Disable or Modify Tools		LSASS Memory421
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)111
Process Injection		231
Virtualization/Sandbox Evasion		Security Account Manager231
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Access Token Manipulation		NTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
Process Injection		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Deobfuscate/Decode Files or Information		Cached Domain Credentials2
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Obfuscated Files or Information		DCSync3
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Software Packing		Proc Filesystem25
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
DLL Side-Loading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580553 Sample: #U5b89#U88c5#U7a0b#U5e8f_1.... Startdate: 25/12/2024 Architecture: WINDOWS Score: 96 105 Multi AV Scanner detection for dropped file 2->105 107 Multi AV Scanner detection for submitted file 2->107 109 Found driver which could be used to inject code into processes 2->109 111 3 other signatures 2->111 11 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe 2 2->11         started        14 cmd.exe 2->14         started        16 cmd.exe 2->16         started        18 30 other processes 2->18 process3 file4 103 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, PE32 11->103 dropped 20 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp 3 5 11->20         started        24 sc.exe 14->24         started        26 sc.exe 16->26         started        28 conhost.exe 16->28         started        30 sc.exe 1 18->30         started        32 sc.exe 1 18->32         started        34 sc.exe 1 18->34         started        36 26 other processes 18->36 process5 file6 87 C:\Users\user\AppData\Local\...\update.vbc, PE32 20->87 dropped 89 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->89 dropped 113 Adds a directory exclusion to Windows Defender 20->113 38 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe 2 20->38         started        41 powershell.exe 23 20->41         started        44 conhost.exe 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 25 other processes 36->56 signatures7 process8 file9 91 C:\...\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, PE32 38->91 dropped 58 #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp 4 15 38->58         started        115 Loading BitLocker PowerShell Module 41->115 62 conhost.exe 41->62         started        64 WmiPrvSE.exe 41->64         started        66 sc.exe 44->66         started        68 Conhost.exe 44->68         started        signatures10 process11 file12 95 C:\Users\user\AppData\Local\...\update.vbc, PE32 58->95 dropped 97 C:\Program Files (x86)\Windows NT\hrsw.vbc, PE32 58->97 dropped 99 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 58->99 dropped 101 C:\Program Files (x86)\Windows NT\7zr.exe, PE32 58->101 dropped 117 Query firmware table information (likely to detect VMs) 58->117 119 Protects its processes via BreakOnTermination flag 58->119 121 Hides threads from debuggers 58->121 123 Contains functionality to hide a thread from the debugger 58->123 70 7zr.exe 2 58->70         started        73 cmd.exe 58->73         started        75 7zr.exe 7 58->75         started        77 cmd.exe 58->77         started        signatures13 process14 file15 93 C:\Program Files (x86)\...\tProtect.dll, PE32+ 70->93 dropped 79 conhost.exe 70->79         started        81 sc.exe 73->81         started        83 conhost.exe 75->83         started        process16 process17 85 conhost.exe 81->85         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe11%VirustotalBrowse
#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe5%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Windows NT\7zr.exe0%ReversingLabs
C:\Program Files (x86)\Windows NT\7zr.exe0%VirustotalBrowse
C:\Program Files (x86)\Windows NT\hrsw.vbc26%ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc38%VirustotalBrowse
C:\Program Files (x86)\Windows NT\tProtect.dll9%ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll6%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\update.vbc26%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\update.vbc26%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exefalse
    		high
    https://www.remobjects.com/ps#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1689103122.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1688660591.0000000002790000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1691242631.0000000000481000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000000.1715050480.000000000093D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drfalse
      		high
      https://www.innosetup.com/#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1689103122.000000007EE5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe, 00000000.00000003.1688660591.0000000002790000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000001.00000000.1691242631.0000000000481000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp, 00000005.00000000.1715050480.000000000093D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.4.dr, #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp.0.drfalse
        		high

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1580553
        Start date and time:2024-12-25 04:32:08 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 11s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:112
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Critical Process Termination
        Sample name:#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
        renamed because original name is a hash value
        Original Sample Name:_1.1.6.exe
        Detection:MAL
        Classification:mal96.evad.winEXE@144/31@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 74%
        • Number of executed functions: 121
        • Number of non-executed functions: 104
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Excluded IPs from analysis (whitelisted): 4.245.163.56
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size exceeded maximum capacity and may have missing disassembly code.
        • Report size getting too big, too many NtCreateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:33:01API Interceptor1x Sleep call for process: #U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp modified
        22:33:04API Interceptor23x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        C:\Program Files (x86)\Windows NT\7zr.exe#U5b89#U88c5#U7a0b#U5e8f_1.1.2.exeGet hashmaliciousUnknownBrowse
          #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exeGet hashmaliciousUnknownBrowse
            #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
              #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exeGet hashmaliciousUnknownBrowse
                  #U5b89#U88c5#U52a9#U624b2.0.6.exeGet hashmaliciousUnknownBrowse
                    #U5b89#U88c5#U52a9#U624b2.0.7.exeGet hashmaliciousUnknownBrowse
                      #U5b89#U88c5#U52a9#U624b2.0.5.exeGet hashmaliciousUnknownBrowse
                        #U5b89#U88c5#U52a9#U624b2.0.4.exeGet hashmaliciousUnknownBrowse
                          #U5b89#U88c5#U52a9#U624b2.0.2.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files (x86)\Windows NT\7zr.exe

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):831200
                            Entropy (8bit):6.671005303304742
                            Encrypted:false
                            SSDEEP:24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
                            MD5:84DC4B92D860E8AEA55D12B1E87EA108
                            SHA1:56074A031A81A2394770D4DA98AC01D99EC77AAD
                            SHA-256:BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
                            SHA-512:CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            • Antivirus: Virustotal, Detection: 0%, Browse
                            Joe Sandbox View:
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.2.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.1.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U7a0b#U5e8f_1.1.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.6.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.7.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse
                            • Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\file.dat (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):3252513
                            Entropy (8bit):7.999943965711187
                            Encrypted:true
                            SSDEEP:98304:Rkmv9U+uJKdOgdj5p+L2rV0kO8FvA3lUMMC+6U+:NW+uAdOEosV7XvA3aw+6U+
                            MD5:AC6EE02365E4BD73722DCF5FF60465B4
                            SHA1:43B62568AC3C8047B2FFA2FE478CCE8227C8E56E
                            SHA-256:E9F4C3E50CA85DEE7A9DD5E32846B7AA896647307E47515D361E1FB09EEB7DDF
                            SHA-512:1E68D326196B2A49A8CBB4F467981F4197138FAA9BC39DC0BDE6130702861C10520FBDA8AC70B070E6052D67B22D1D0FA7F64F08CEC252DE13CB521A5471B48B
                            Malicious:false
                            Preview:.@S......Y]<\...............L6.w6.....U...9.F.k.......g.....Y:.....s_U.P.jS2.]..G...}..'.w...J .3T..U`.u.Y......>n..Z..2...hw......@...#R.lL..Gb..C..\....}...S.8......t.9H..JU-?.U)......S.~...&.p..7.3J..7.&J..J.O........>|.)V.i..p.R..,x.N....#...X..8..f........`.?.xO.S......<.V..........u..^.$...I..;..`.l...;s..F.e..=.O..q.:;{..Q......%...8=j..Sr}.#WY.)....K+....|.*..;.B...d..:.l.L.....n...YE.&....0.Z,.0.r.s8.ig........QO..G............`..&..".G0M..}mk.Q..@.......0<)..|.t.e+5..........."!..d....p..u.2d.G....".....,.e.`...K......0..#..`(.d... v..<....y..J.}.......YM...E....{..%A.....BJ..D.Z.cN..?......,.TD7o......D=\+.L.i.k..D.-.......E9@.o.K..p.w...A}i.h5..Y.....E*....cJ..cm.1o.....8.....:.d1...%hG..DN$..nh..#..T.Hg.5.....M..?.8.......KS4B.j..@!%..(.....3..EW.[=u..........%..t....j!%..%d...s][.Ses.0....a.r...m.}...b.q.O`:<.......Y.8....v...}.G..I...p .z.u.......7.9.`"^};....q./A.^.2B^..P...rJ..KG..o..&...lI?}H..F.%1......O......V.e...b..8.x...

                            C:\Program Files (x86)\Windows NT\hrsw.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            • Antivirus: Virustotal, Detection: 38%, Browse
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\is-BD2QT.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:data
                            Category:dropped
                            Size (bytes):3252513
                            Entropy (8bit):7.999943965711187
                            Encrypted:true
                            SSDEEP:98304:Rkmv9U+uJKdOgdj5p+L2rV0kO8FvA3lUMMC+6U+:NW+uAdOEosV7XvA3aw+6U+
                            MD5:AC6EE02365E4BD73722DCF5FF60465B4
                            SHA1:43B62568AC3C8047B2FFA2FE478CCE8227C8E56E
                            SHA-256:E9F4C3E50CA85DEE7A9DD5E32846B7AA896647307E47515D361E1FB09EEB7DDF
                            SHA-512:1E68D326196B2A49A8CBB4F467981F4197138FAA9BC39DC0BDE6130702861C10520FBDA8AC70B070E6052D67B22D1D0FA7F64F08CEC252DE13CB521A5471B48B
                            Malicious:false
                            Preview:.@S......Y]<\...............L6.w6.....U...9.F.k.......g.....Y:.....s_U.P.jS2.]..G...}..'.w...J .3T..U`.u.Y......>n..Z..2...hw......@...#R.lL..Gb..C..\....}...S.8......t.9H..JU-?.U)......S.~...&.p..7.3J..7.&J..J.O........>|.)V.i..p.R..,x.N....#...X..8..f........`.?.xO.S......<.V..........u..^.$...I..;..`.l...;s..F.e..=.O..q.:;{..Q......%...8=j..Sr}.#WY.)....K+....|.*..;.B...d..:.l.L.....n...YE.&....0.Z,.0.r.s8.ig........QO..G............`..&..".G0M..}mk.Q..@.......0<)..|.t.e+5..........."!..d....p..u.2d.G....".....,.e.`...K......0..#..`(.d... v..<....y..J.}.......YM...E....{..%A.....BJ..D.Z.cN..?......,.TD7o......D=\+.L.i.k..D.-.......E9@.o.K..p.w...A}i.h5..Y.....E*....cJ..cm.1o.....8.....:.d1...%hG..DN$..nh..#..T.Hg.5.....M..?.8.......KS4B.j..@!%..(.....3..EW.[=u..........%..t....j!%..%d...s][.Ses.0....a.r...m.}...b.q.O`:<.......Y.8....v...}.G..I...p .z.u.......7.9.`"^};....q./A.^.2B^..P...rJ..KG..o..&...lI?}H..F.%1......O......V.e...b..8.x...

                            C:\Program Files (x86)\Windows NT\locale.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.9966757919724305
                            Encrypted:true
                            SSDEEP:1536:tbPNdvKr+P8q3sS98KMig531vQ3/Wk+7Muede2XmUTme:FPN9cculQS71Yv3
                            MD5:F065238DE3B0B5224E6E3B7E32C26453
                            SHA1:088F982BC7F543FDBB97F71B2FD290361DBCA699
                            SHA-256:435534E13F7370594B41DC6975CD8C0301676006C02362546E9CA3A3EFC4C156
                            SHA-512:6F54DC7A0DF90E3E735691E55259668C207AD3D6AF151EC34100A6331A197851FD9014118E2BDC9C5FFD65D071A5EB4BFFB38CABB071004DB1BDF9D62F393096
                            Malicious:false
                            Preview:.@S.....xl ................j....PE.F".T(.=(..Z..aK^..&....@H.E.!..Ge...mD....S........bQ.}.....7.6....Z..M..e7....5..w..8?....pfF.:.."...#(.p.........r).....f.D..X......M....H..?..*..Gs...Z..Y..Q.,...;*p...6.|......L...rm....vk...||......,....j...N.7.5~...t.+.#o...[.C.^.qX.i\.....q..n..^o.FH.Q...v..&...{Y.D..U....L.h......../~..iem.o..1.MWC.m.{.. .K..~mb......P.i....2..3.$b.rt......N~].....;.Phn. ...@...W..AE......H.P...D ;c.].....2.b.....(.....K.r.}_...'D..^.Q..`}.e6..m..k.d$..N.....E...xO.!..EU..C?Q...8M.2..PcI.).......j...&....l.zsh...;./[..H.K0..e.....K........f..C../E..Z.....t].u!...d.).b.....Z..;A..........i....,..m..........dDl....};........6 8...............~.%i....m!1......:gK...U.y....r.]...<..^{.fR..30.C..g=YZ....Z.{|i....I.x...^*..\.C.fX.t..e..#..}.k.P...K|rtg.fuk.(.f...p..1.k.F....P..'...|4..7Q...5.Q...+...4..y...z.<..)..]`..M..>.B,.9n..cY.h....t..W......z>].'.....Xw..-.....a-A?..c.%..m.....p_9..P..J.j...A...:........

                            C:\Program Files (x86)\Windows NT\locale.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.99667579197243
                            Encrypted:true
                            SSDEEP:1536:TJL/LBUdYW62Y31rDdLF0PWz1atMxdH2/BClsdhKS9vk:Tleds2Y3BDdLuuGM/KBClsdhKovk
                            MD5:1F120CDB26EC4B1FB0237C089D66ACE7
                            SHA1:9CC3427B1EBC127DDF3FDF9A47CA9D6FCDB789FD
                            SHA-256:0E7DF22F81684783E851C2EFA8BE04343142A400E9EDD8FF7C934760159A376B
                            SHA-512:9CAA9544FD686C14270A8826C799E5D9481E2C43B46A2A2BACE70EC8B3D89E512CBBF5DDA6EA4768F798D9A027252AD03D7F41C36E966AD14A7A5CC5092956FC
                            Malicious:false
                            Preview:7z..'....T|.........2..........<"9N...0..6..i...N.*I.......M.d...?.4..n...Ef~b..fM......B.&..-..{.j...2.6.X1.%.T..!T....P'.#MV.a5.....z...e....y!......(<|..0/>....WrS.,j.@n.G..$.z..0~...Q...R./5..}La....).&.0....uES....i,"......g....U...kfk....3......C..{/a.....a...W.A...w.q..%....\E<1.la.\.Y.BX.....R...8.J..\&'_..d.C[.2z4 ...X.[..s.Uo*.M......V..s....N......ET...S&.O`=.E.N`/..QV.t...).h.....d@p^..`...H..............P&F.>..L.iL....q..m.6......5'A<..{..!.....vJ#n.33.........).....Nx......>.F2.F&-[..y.E...#&..0.x...|......0lJ...{...G+.[V.xX......Ek.....(.N..WC...H...&..({.b..ag.D..t!.Kt..p.?...X~1F.*...LDZ 5\..%..=b{RV}.+h.V1./....C..7....+"...qT/D....hE._s.p...sq%HS.....+i4.X..v....$pj....U..6.[......G....S.5..Ma.2......gR..!.?.....F.{k.f...[8MW.C...E...}.&.3.....c.}F.}9...o.Ue........H.&.!yO0.N?.....%.3..%..........@...H.@.*..@..O..E...D.mG..1Q..1.....9r..j.......rLT.h}..:g1_.Ly..4b.d...8....v.u./3.v...DH.=....|]"nP...I=.70..ZZ....t..Kq}...l

                            C:\Program Files (x86)\Windows NT\locale2.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255975
                            Encrypted:true
                            SSDEEP:1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
                            MD5:CEA69F993E1CE0FB945A98BF37A66546
                            SHA1:7114365265F041DA904574D1F5876544506F89BA
                            SHA-256:E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
                            SHA-512:4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
                            Malicious:false
                            Preview:.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D*.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~....*.'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr*4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p.*.bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm.*...E....2........s. *R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

                            C:\Program Files (x86)\Windows NT\locale2.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):56546
                            Entropy (8bit):7.996966859255979
                            Encrypted:true
                            SSDEEP:1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
                            MD5:4CB8B7E557C80FC7B014133AB834A042
                            SHA1:C42E2C861FF3ED0E6A11824E12F67A344E8F783D
                            SHA-256:3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
                            SHA-512:A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
                            Malicious:false
                            Preview:7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.|. a.:..5.....b.....2......W.....Z.pS.b/.F.;|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f.......*.@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2*.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

                            C:\Program Files (x86)\Windows NT\locale3.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
                            MD5:8622FC7228777F64A47BD6C61478ADD9
                            SHA1:9A7C15F341835F83C96DA804DC1E21FDA696BB56
                            SHA-256:4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
                            SHA-512:71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
                            Malicious:false
                            Preview:.@S......................xi.\ .~.#..:}..fy?koGL^|kH.G...........x....Tg.Y.t....~^..".L.41.....R..|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.|a.]..@DP".`Rz}...|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C......*.V..|..2.J..i.r....|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ..*.8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

                            C:\Program Files (x86)\Windows NT\locale3.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):31890
                            Entropy (8bit):7.99402458740637
                            Encrypted:true
                            SSDEEP:768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
                            MD5:CE6034AFC63BB42F4E0D6CD897DFBCB8
                            SHA1:49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
                            SHA-256:7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
                            SHA-512:7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
                            Malicious:false
                            Preview:7z..'....oYU@|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc*.o@|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.*RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

                            C:\Program Files (x86)\Windows NT\locale4.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.99759370165655
                            Encrypted:true
                            SSDEEP:1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
                            MD5:950338D50B95A25F494EE74E97B7B7A9
                            SHA1:F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
                            SHA-256:87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
                            SHA-512:9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
                            Malicious:false
                            Preview:.@S........................F.T....r...z'I.N..].u.e.e..y.....<|r.:v.....J.i...L.Sv.....Nz..,..K.sI*./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#*.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.*z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.....*..9;..R...VL.]..%j.....TM.4.....P.L...

                            C:\Program Files (x86)\Windows NT\locale4.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):74960
                            Entropy (8bit):7.997593701656546
                            Encrypted:true
                            SSDEEP:1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
                            MD5:059BA7C31F3E227356CA5F29E4AA2508
                            SHA1:FA3DC96A3336903ED5E6105A197A02E618E3F634
                            SHA-256:1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
                            SHA-512:E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
                            Malicious:false
                            Preview:7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7.*...!!.(.....Gc..........Dg....Z.*.#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.|T.5..V...E|...q.........].}bl...y.....;...q....-a..RP3..L~k....|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

                            C:\Program Files (x86)\Windows NT\locale7.bin

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653607
                            Encrypted:true
                            SSDEEP:768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
                            MD5:2C3E0D1FB580A8F0855355CC7D8D4F7A
                            SHA1:177E4A0B7C4BC8ACE0F46127398808E669222515
                            SHA-256:9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
                            SHA-512:B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
                            Malicious:false
                            Preview:.@S....*z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@*.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

                            C:\Program Files (x86)\Windows NT\locale7.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):29730
                            Entropy (8bit):7.994290657653608
                            Encrypted:true
                            SSDEEP:768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
                            MD5:A9C8A3E00692F79E1BA9693003F85D18
                            SHA1:5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
                            SHA-256:B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
                            SHA-512:8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
                            Malicious:false
                            Preview:7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.*'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?.....*.XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...|Ynic.*.....ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r*..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..|..)f...C....$...E....H"x..F....wW...3"......Y.*Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$....*.&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

                            C:\Program Files (x86)\Windows NT\res.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):3252513
                            Entropy (8bit):7.999943965711188
                            Encrypted:true
                            SSDEEP:98304:+XXOlk822gQUKZ2ecz7upfuutUiyfLOjrWZ:Uel0pKZ2ec/upfuwylZ
                            MD5:8CD35311B784040092611827E49F8BE3
                            SHA1:909D769731A81DAA04CA25A1F325206ADC22BA20
                            SHA-256:9CD7F9F2281FFF8F455A731FF75E3670C9A24028840202AF378FBE3C5089CA66
                            SHA-512:2CA2DE6081D67D852775C81620BC18A4D16849B4177A7F083CD372173BB37BE6C8316921FEFC1BFB81E0731FAE320586E503E2C9FF7C41155FED16ADECA45DA4
                            Malicious:false
                            Preview:7z..'...?,....1.....A.............+?..<y...m.).]..%......)".Cy...8BP9......k...,.. .N#..]....r.`...l.......s.<.w}H"....pn.ChU..q+......Ho.%...b...9.W\....w.c...Fp.J..>.........;..MX 4h..k...#.....D(.N....d.z..d.s..=.....Q....S.t.m=...=.(.jo)....$...C...$i7........j...R%.e..L.@!V!Vb.3..;......?..l.0....:7yj.t.......].Q..#..SN....e.88Y..J|...L..;...k.lM....k].~.9.iF.v.&.APW.G..0...!..Ix..U.l...hF...r.....o........\wl...p.(..|is.7..o.~.K.3.y.. v.h..!....3E9..Udf.@....8.~...r...<^{.n./Fk.nP....P..y..[.-.<..E\..*.....?.t.6t~R.C...~T.Q^..E....Be>.B..+%...a,.&.[.ff..$....'.iS=T.ke.g.x.8......M....+..Ib('.*.'g...2.N$.T....W..a..V.{.@p..'...o......].......t...&.X.J.K..lR%{b..W+.......f.`...L,.V....Yp^../....(...$k..V..z..7.~.r.7.i..(..H$.S1#...E.R5....S...iX3..9......Y.No...2<../,..+.S....&...).....,C.&/3`....,g...i.hN9..2....U1...<D...X.en.+.D...k@..[....Y.U.KWZJZ`%.........71..V.....e..*!-..b[..!..;...<!....c5.q..(jNzm/..2.W..$....=..9,.%j.lq4

                            C:\Program Files (x86)\Windows NT\tProtect.dll

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):63640
                            Entropy (8bit):6.482810107683822
                            Encrypted:false
                            SSDEEP:768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
                            MD5:B4EAACCE30F51EAF2A36CEA680B45A66
                            SHA1:94493D7739C5EE7346DA31D9523404D62682B195
                            SHA-256:15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
                            SHA-512:16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 9%
                            • Antivirus: Virustotal, Detection: 6%, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.|XN4.5N.|HN6.5NA'XN6.5N.|DN0.5N.|IN6.5N.|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

                            C:\Program Files (x86)\Windows NT\task.xml

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3443983145211007
                            Encrypted:false
                            SSDEEP:48:dXKLzDlnyL6w0QldOVQOj933ODOiTdKbKsz72eW+5yF:dXazDlnHwhldOVQOj6dKbKsz7
                            MD5:1E67E91688292692932CD9096EDEA2BD
                            SHA1:AA8859477C235F2F194FC7C4D75EF4C082A6864B
                            SHA-256:ED20E6ED002708041CC98B046F976B2BE43685B258AE6461F291CF73F7128924
                            SHA-512:7C6DE3E403542FE6D33C75F286212A114C7112B8401EAC8323EDBE856CADE905CE11E0B9C4083AE01A711E6B1EC12329CBF43AB0B585BCB56FE8A0F151B47B3E
                            Malicious:false
                            Preview:<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\turminoob</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAva

                            C:\Program Files (x86)\Windows NT\trash

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:OpenPGP Public Key
                            Category:dropped
                            Size (bytes):3002302
                            Entropy (8bit):7.9999367110713795
                            Encrypted:true
                            SSDEEP:49152:fabTxPp50+YBXeTFfQm4v2/gx/4Qkf6e6fKZXN0AkdcXjMjgPXbqmztLN+DWm+ar:fMPp5FYeTFQvZ47wQNPkSTMUPpztL8Dx
                            MD5:8862E3A18FBF883677A39AA59DE0EAAD
                            SHA1:FAE1A1A5E1B34DFF73AD1C4B680C76EE5EDD52A0
                            SHA-256:229618C87597E665556EA6C0F03F70FC56C94E09D031B2EE821B91EDD6576601
                            SHA-512:1E66A5CF02A694B6D014E7A9F849A857CF97C97BC95F834BCEE8138CD4D2AF9A6C341575B3DF494EDBE600A883E6D7A9882D455E17A6DC942D19D09B5BBCF3B9
                            Malicious:false
                            Preview:.qoM....</P.S.H..}.+..D.(..........u....t..?d.S..H.} _......X.2..l.i..k....Xf/H....0?Ar.........4Saj....,..p.......ti.[.:z.{..Nh...=.J?.).K.R..eg..+.R..k.N..f.......2..tH.....|z.:.C.9.y...G..m...vyV].".>0o..CL.7...^.k\.S..........C...-.f.."...{..F5...>.d..@..;..Y........[...*........Y...T....u.?.i.h........S.:t]r{...mg..D.--...].h.vh.W...<TY-E..0..W'6.?.I..HS?...../...g.d.U$......t...;..yDk...I...0...bOx........[.]@....7.d.....H.......f.z1wq..n.Bb...?.Q..:.l.P..:..e...A......5....y..k.uQz.j.V!D.A?..BIH.'...8.l.bw...W......]....sh$Jq....-..........I.E.....|..3`"D.....^..J:4..8.......?.O...jC.xb...,.w>~.,....f.......G.....f|+.Y..0.%...7.....k..A.^_...]..<..}..8..*...Jb...SU...%g>.;.k`............6...kn.\........6M..T..l.!......O..vXR...........cW.....S......U$P[..-.?./..b.=...].7....bri%.8.....$..^...j.O:.I..~...+....>..|.Q|u.m..A.34.l.....\k..S.~}$.3nP...{..._.....kH.W.j..=....U>..\.L[5.t.U...k..Rce.+........)Z*A.AV..=[&......].../u.C$..)....M}$

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):64
                            Entropy (8bit):1.1940658735648508
                            Encrypted:false
                            SSDEEP:3:NlllulDm0ll//Z:NllU6cl/
                            MD5:DA1F22117B9766A1F0220503765A5BA5
                            SHA1:D35597157EFE03AA1A88C1834DF8040B3DD3F3CB
                            SHA-256:BD022BFCBE39B4DA088DDE302258AE375AAFD6BDA4C7B39A97D80C8F92981C69
                            SHA-512:520FA7879AB2A00C86D9982BB057E7D5E243F7FC15A12BA1C823901DC582D2444C76534E955413B0310B9EBD043400907FD412B88927DAD07A1278D3B667E3D9
                            Malicious:false
                            Preview:@...e.................................R..............@..........

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bljondhd.a1w.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mumorbwt.z0j.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oytnwift.1zz.ps1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm2h3lmj.2yz.psm1

                            Download File
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-1KA1K.tmp\update.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-6PF5P.tmp\update.vbc

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3621376
                            Entropy (8bit):7.006090025798393
                            Encrypted:false
                            SSDEEP:98304:UXTNS5omKHixBbVZ9yogz/lWGAxNRie71MzSRMYuefCG/gZD:U5SG7Hwke71MzxY/UZD
                            MD5:FCADEAE28FCC52FD286350DFEECD82E5
                            SHA1:48290AA098DEDE53C457FC774063C3198754A161
                            SHA-256:34063D8A5CC7DE10C1514FD21463D4E5A0E99CFAB7A8EE1168E84EDE8823EDFB
                            SHA-512:56428AFDEEE8774518FE206AE4CD017F552F947508B87785A3BD960B14364F990F54E73F01C2A5CAF9B1862DADDD634BB894882B00B60102675D63F52245A41F
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 26%
                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...D.jg...........!..........................................................7...........@.........................8s.......y..<....p7.X.....................7.d?..........................h9.......................{...............................text...P........................... ..`.rdata..4...........................@..@.data...............................@....00cfg........(......T(.............@..@.tls..........(......V(.............@....voltbl.F.....(......X(..................aQ#..........(......Z(............. ..`.rsrc...X....p7.......6.............@..@.reloc..d?....7..@....7.............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564866469498
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:F71908CEAB1076D5D4250CBFCB02E6B2
                            SHA1:2605DDF88D6191E54CE4935F5F652AD2EB3D90BF
                            SHA-256:41942D878571CFFA23A299A9CEC78B002C6B0B03C640A51C50049FA2A8C7698C
                            SHA-512:FE85D2393D6BC4D92FCAB43667CD16C4B69F2E757D6952D647119B1B15A113FBA1E117CFAD64B7851EB24400AD3DE4FD2A5BAA42271C13054EA9CC90E3DA825A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp

                            Download File
                            Process:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3366912
                            Entropy (8bit):6.530564866469498
                            Encrypted:false
                            SSDEEP:98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
                            MD5:F71908CEAB1076D5D4250CBFCB02E6B2
                            SHA1:2605DDF88D6191E54CE4935F5F652AD2EB3D90BF
                            SHA-256:41942D878571CFFA23A299A9CEC78B002C6B0B03C640A51C50049FA2A8C7698C
                            SHA-512:FE85D2393D6BC4D92FCAB43667CD16C4B69F2E757D6952D647119B1B15A113FBA1E117CFAD64B7851EB24400AD3DE4FD2A5BAA42271C13054EA9CC90E3DA825A
                            Malicious:true
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f..................*...........*.......*...@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

                            \Device\ConDrv

                            Download File
                            Process:C:\Program Files (x86)\Windows NT\7zr.exe
                            File Type:ASCII text, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):406
                            Entropy (8bit):5.117520345541057
                            Encrypted:false
                            SSDEEP:6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
                            MD5:9200058492BCA8F9D88B4877F842C148
                            SHA1:EED69748A26CFAF769EF589F395A162E87005B36
                            SHA-256:BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
                            SHA-512:312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
                            Malicious:false
                            Preview:..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.967601185321986
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.04%
                            • Inno Setup installer (109748/4) 1.08%
                            • InstallShield setup (43055/19) 0.42%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            File name:#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                            File size:9'897'435 bytes
                            MD5:1892cf920ffe70868b967804d9222b14
                            SHA1:2b2a0a6bbd472bf5aee0fb476d4ddd07f0c234dd
                            SHA256:459794c80f6ede491eefd8c6eabf5abe8cbd29a4d224e35072b38af2610f07d0
                            SHA512:ebccfdd092539d0cbca3859111070b502eef0452bcd9cbb6805031af0a1a868480d6d4a54a5a0af86a4622a606447fa1be7b4220241c3a4ab370a1af65f60e5f
                            SSDEEP:196608:lHDsQ/dcSd7VHeeAXOZYEBlg5aiixZ4cENKegvJ4158YPVuyN3gJHu:ljsQ/dcSJVOXLEBlg0vyNyvm1OFyGJO
                            TLSH:C9A62322F2CBD43DE41D0B3719B3A65494FB6A206423AE578AECB4ACCF351601D3E657
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:0c0c2d33ceec80aa

                            Static PE Info

                            General

                            Entrypoint:0x4a83bc
                            Entrypoint Section:.itext
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:40ab50289f7ef5fae60801f88d4541fc

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004A2EBCh
                            call 00007F10ACDCB045h
                            xor eax, eax
                            push ebp
                            push 004A8AC1h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004A8A7Bh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004B0634h]
                            call 00007F10ACE5C9CBh
                            call 00007F10ACE5C51Eh
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F10ACE571F8h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004B41F4h
                            call 00007F10ACDC50F3h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004B41F4h]
                            mov dl, 01h
                            mov eax, dword ptr [0049CD14h]
                            call 00007F10ACE58523h
                            mov dword ptr [004B41F8h], eax
                            xor edx, edx
                            push ebp
                            push 004A8A27h
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F10ACE5CA53h
                            mov dword ptr [004B4200h], eax
                            mov eax, dword ptr [004B4200h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F10ACE6373Ah
                            mov eax, dword ptr [004B4200h]
                            mov edx, 00000028h
                            call 00007F10ACE58E18h
                            mov edx, dword ptr [004B4200h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xcb0000x11000.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000x10fa8.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xba0000x10fa80x11000a85fda2741bd9417695daa5fc5a9d7a5False0.5789579503676471data6.709466460182023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            .rsrc0xcb0000x110000x110000298257a2fdc6a5af46f0d4f3dd0d7d8False0.1877154181985294data3.7229458291165596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xcb6780xa68Device independent bitmap graphic, 64 x 128 x 4, image size 2048EnglishUnited States0.1174924924924925
                            RT_ICON0xcc0e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.15792682926829268
                            RT_ICON0xcc7480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.23387096774193547
                            RT_ICON0xcca300x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.39864864864864863
                            RT_ICON0xccb580x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.08339210155148095
                            RT_ICON0xce1800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.1023454157782516
                            RT_ICON0xcf0280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.10649819494584838
                            RT_ICON0xcf8d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.10838150289017341
                            RT_ICON0xcfe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.8712011577424024
                            RT_ICON0xd11200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.05668398677373642
                            RT_ICON0xd53480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.08475103734439834
                            RT_ICON0xd78f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09920262664165103
                            RT_ICON0xd89980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2047872340425532
                            RT_STRING0xd8e000x3f8data0.3198818897637795
                            RT_STRING0xd91f80x2dcdata0.36475409836065575
                            RT_STRING0xd94d40x430data0.40578358208955223
                            RT_STRING0xd99040x44cdata0.38636363636363635
                            RT_STRING0xd9d500x2d4data0.39226519337016574
                            RT_STRING0xda0240xb8data0.6467391304347826
                            RT_STRING0xda0dc0x9cdata0.6410256410256411
                            RT_STRING0xda1780x374data0.4230769230769231
                            RT_STRING0xda4ec0x398data0.3358695652173913
                            RT_STRING0xda8840x368data0.3795871559633027
                            RT_STRING0xdabec0x2a4data0.4275147928994083
                            RT_RCDATA0xdae900x10data1.5
                            RT_RCDATA0xdaea00x310data0.6173469387755102
                            RT_RCDATA0xdb1b00x2cdata1.1818181818181819
                            RT_GROUP_ICON0xdb1dc0xbcdataEnglishUnited States0.6170212765957447
                            RT_VERSION0xdb2980x584dataEnglishUnited States0.2776203966005666
                            RT_MANIFEST0xdb81c0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                            Exports

                            NameOrdinalAddress
                            __dbk_fcall_wrapper20x40fc10
                            dbkFCallWrapperAddr10x4b063c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            No network behavior found

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:22:33:00
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
                            Imagebase:0x7a0000
                            File size:9'897'435 bytes
                            MD5 hash:1892CF920FFE70868B967804D9222B14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:22:33:00
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-8BPUP.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$203FE,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe"
                            Imagebase:0x480000
                            File size:3'366'912 bytes
                            MD5 hash:F71908CEAB1076D5D4250CBFCB02E6B2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:22:33:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                            Imagebase:0x7ff788560000
                            File size:452'608 bytes
                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:3
                            Start time:22:33:01
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:22:33:01
                            Start date:24/12/2024
                            Path:C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
                            Imagebase:0x7a0000
                            File size:9'897'435 bytes
                            MD5 hash:1892CF920FFE70868B967804D9222B14
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:5
                            Start time:22:33:03
                            Start date:24/12/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-VUC4I.tmp\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.tmp" /SL5="$20428,8943036,845824,C:\Users\user\Desktop\#U5b89#U88c5#U7a0b#U5e8f_1.1.6.exe" /VERYSILENT
                            Imagebase:0x6c0000
                            File size:3'366'912 bytes
                            MD5 hash:F71908CEAB1076D5D4250CBFCB02E6B2
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:6
                            Start time:22:33:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:22:33:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:22:33:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:22:33:05
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
                            Imagebase:0x260000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            • Detection: 0%, Virustotal, Browse
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:10
                            Start time:22:33:05
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Program Files (x86)\Windows NT\7zr.exe
                            Wow64 process (32bit):true
                            Commandline:7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
                            Imagebase:0x260000
                            File size:831'200 bytes
                            MD5 hash:84DC4B92D860E8AEA55D12B1E87EA108
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:12
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:13
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff693ab0000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:14
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:15
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:22:33:06
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:22:33:07
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff70f330000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:40
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:46
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:49
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:52
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:54
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:22:33:08
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:61
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:66
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:72
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:22:33:09
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:74
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:75
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:76
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:77
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:78
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:79
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:80
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:81
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:82
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:83
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:84
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:85
                            Start time:22:33:10
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:86
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:87
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:88
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:89
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:90
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:91
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:92
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:93
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:94
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:95
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:96
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:97
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:98
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:99
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:100
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:101
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:102
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:103
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:104
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff7699e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:105
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:106
                            Start time:22:33:11
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:107
                            Start time:22:33:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:108
                            Start time:22:33:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\sc.exe
                            Wow64 process (32bit):false
                            Commandline:sc start CleverSoar
                            Imagebase:0x7ff703bb0000
                            File size:72'192 bytes
                            MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:109
                            Start time:22:33:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7699e0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:110
                            Start time:22:33:12
                            Start date:24/12/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:cmd /c start sc start CleverSoar
                            Imagebase:0x7ff76b2e0000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:265
                            Start time:22:33:18
                            Start date:24/12/2024
                            Path:C:\Windows\System32\Conhost.exe
                            Wow64 process (32bit):
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:
                            Has administrator privileges:
                            Programmed in:C, C++ or other language
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:1.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:5.2%
                              Total number of Nodes:731
                              Total number of Limit Nodes:8
                              execution_graph 63454 6ca201c3 63455 6ca201d5 __dosmaperr 63454->63455 63456 6ca201ed 63454->63456 63456->63455 63457 6ca20267 63456->63457 63459 6ca20238 __dosmaperr 63456->63459 63460 6ca20280 63457->63460 63461 6ca202d7 __wsopen_s 63457->63461 63462 6ca2029b __dosmaperr 63457->63462 63501 6ca13810 18 API calls __fassign 63459->63501 63460->63462 63481 6ca20285 63460->63481 63495 6ca17eab HeapFree GetLastError __dosmaperr 63461->63495 63494 6ca13810 18 API calls __fassign 63462->63494 63465 6ca2042e 63468 6ca204a4 63465->63468 63471 6ca20447 GetConsoleMode 63465->63471 63466 6ca202f7 63496 6ca17eab HeapFree GetLastError __dosmaperr 63466->63496 63470 6ca204a8 ReadFile 63468->63470 63473 6ca204c2 63470->63473 63474 6ca2051c GetLastError 63470->63474 63471->63468 63475 6ca20458 63471->63475 63472 6ca202fe 63486 6ca202b2 __dosmaperr __wsopen_s 63472->63486 63497 6ca1e359 20 API calls __wsopen_s 63472->63497 63473->63474 63477 6ca20499 63473->63477 63474->63486 63475->63470 63476 6ca2045e ReadConsoleW 63475->63476 63476->63477 63478 6ca2047a GetLastError 63476->63478 63482 6ca204e7 63477->63482 63483 6ca204fe 63477->63483 63477->63486 63478->63486 63489 6ca250d5 63481->63489 63499 6ca205ee 23 API calls 3 library calls 63482->63499 63485 6ca20515 63483->63485 63483->63486 63500 6ca208a6 21 API calls __wsopen_s 63485->63500 63498 6ca17eab HeapFree GetLastError __dosmaperr 63486->63498 63488 6ca2051a 63488->63486 63491 6ca250e2 63489->63491 63492 6ca250ef 63489->63492 63490 6ca250fb 63490->63465 63491->63465 63492->63490 63502 6ca13810 18 API calls __fassign 63492->63502 63494->63486 63495->63466 63496->63472 63497->63481 63498->63455 63499->63486 63500->63488 63501->63455 63502->63491 63503 6c89f150 63505 6c89efbe 63503->63505 63504 6c89f243 CreateFileA 63508 6c89f2a7 63504->63508 63505->63504 63506 6c8a02ca 63507 6c8a02ac GetCurrentProcess TerminateProcess 63507->63506 63508->63506 63508->63507 63509 6c89f8a3 63510 6c89f887 63509->63510 63511 6c8a02ac GetCurrentProcess TerminateProcess 63510->63511 63512 6c8a02ca 63511->63512 63513 6c883d62 63515 6c883bc0 63513->63515 63514 6c883e8a GetCurrentThread NtSetInformationThread 63516 6c883eea 63514->63516 63515->63514 63517 6c884b53 63675 6ca0a133 63517->63675 63519 6c884b5c _Yarn 63689 6c9fe090 63519->63689 63521 6c8a639e 63782 6ca13820 18 API calls 2 library calls 63521->63782 63523 6c884cff 63524 6c885164 CreateFileA CloseHandle 63529 6c8851ec 63524->63529 63525 6c884bae std::ios_base::_Ios_base_dtor 63525->63521 63525->63523 63525->63524 63526 6c89245a _Yarn _strlen 63525->63526 63526->63521 63527 6c9fe090 2 API calls 63526->63527 63543 6c892a83 std::ios_base::_Ios_base_dtor 63527->63543 63695 6ca08810 OpenSCManagerA 63529->63695 63531 6c88fc00 63774 6ca08930 CreateToolhelp32Snapshot 63531->63774 63534 6ca0a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63571 6c885478 std::ios_base::_Ios_base_dtor _Yarn _strlen 63534->63571 63536 6c9fe090 2 API calls 63536->63571 63537 6c8937d0 Sleep 63581 6c8937e0 std::ios_base::_Ios_base_dtor _Yarn _strlen 63537->63581 63538 6c8a63b2 63783 6c8815e0 18 API calls std::ios_base::_Ios_base_dtor 63538->63783 63539 6ca08930 4 API calls 63556 6c89053a 63539->63556 63540 6ca08930 4 API calls 63566 6c8912e2 63540->63566 63542 6c8a64f8 63543->63521 63699 6c9f0880 63543->63699 63544 6c88ffe3 63544->63539 63548 6c890abc 63544->63548 63545 6c8a6ba0 104 API calls 63545->63571 63546 6c8a6e60 32 API calls 63546->63571 63548->63526 63548->63540 63550 6ca08930 4 API calls 63550->63548 63551 6ca08930 4 API calls 63570 6c891dd9 63551->63570 63552 6c89211c 63552->63526 63554 6c89241a 63552->63554 63557 6c9f0880 10 API calls 63554->63557 63555 6c9fe090 2 API calls 63555->63581 63556->63548 63556->63550 63559 6c89244d 63557->63559 63558 6c886722 63750 6ca04860 25 API calls 4 library calls 63558->63750 63780 6ca09450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63559->63780 63561 6c892452 Sleep 63561->63526 63562 6c8916ac 63563 6c886162 63565 6c88740b 63751 6ca086e0 CreateProcessA 63565->63751 63566->63551 63566->63552 63566->63562 63567 6ca08930 4 API calls 63567->63552 63570->63552 63570->63567 63571->63521 63571->63531 63571->63534 63571->63536 63571->63545 63571->63546 63571->63558 63571->63563 63736 6c8a7090 63571->63736 63749 6c8ce010 67 API calls 63571->63749 63572 6c8a7090 77 API calls 63572->63581 63574 6c88775a _strlen 63574->63521 63575 6c887ba9 63574->63575 63576 6c887b92 63574->63576 63579 6c887b43 _Yarn 63574->63579 63578 6ca0a133 std::_Facet_Register 4 API calls 63575->63578 63577 6ca0a133 std::_Facet_Register 4 API calls 63576->63577 63577->63579 63578->63579 63580 6c9fe090 2 API calls 63579->63580 63589 6c887be7 std::ios_base::_Ios_base_dtor 63580->63589 63581->63521 63581->63555 63581->63572 63707 6c8a6ba0 63581->63707 63726 6c8a6e60 63581->63726 63781 6c8ce010 67 API calls 63581->63781 63582 6ca086e0 4 API calls 63593 6c888a07 63582->63593 63583 6c889d68 63585 6ca0a133 std::_Facet_Register 4 API calls 63583->63585 63584 6c889d7f 63586 6ca0a133 std::_Facet_Register 4 API calls 63584->63586 63587 6c889d18 _Yarn 63585->63587 63586->63587 63588 6c9fe090 2 API calls 63587->63588 63598 6c889dbd std::ios_base::_Ios_base_dtor 63588->63598 63589->63521 63589->63582 63590 6c88962c _strlen 63589->63590 63591 6c888387 63589->63591 63590->63521 63590->63583 63590->63584 63590->63587 63592 6ca086e0 4 API calls 63596 6c889120 63592->63596 63593->63592 63594 6ca086e0 4 API calls 63613 6c88a215 _strlen 63594->63613 63595 6ca086e0 4 API calls 63597 6c889624 63595->63597 63596->63595 63755 6ca09450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63597->63755 63598->63521 63598->63594 63605 6c88e8b5 std::ios_base::_Ios_base_dtor _Yarn _strlen 63598->63605 63599 6ca0a133 IsProcessorFeaturePresent RaiseException EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63599->63605 63601 6c9fe090 2 API calls 63601->63605 63602 6c88f7b1 63773 6ca09450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63602->63773 63603 6c88ed02 Sleep 63623 6c88e8c1 63603->63623 63605->63521 63605->63599 63605->63601 63605->63602 63605->63603 63606 6c88e8dd GetCurrentProcess TerminateProcess 63606->63605 63607 6c88a9bb 63610 6ca0a133 std::_Facet_Register 4 API calls 63607->63610 63608 6c88a9a4 63609 6ca0a133 std::_Facet_Register 4 API calls 63608->63609 63618 6c88a953 _Yarn _strlen 63609->63618 63610->63618 63611 6ca086e0 4 API calls 63611->63623 63612 6c88fbb8 63614 6c88fbe8 ExitWindowsEx Sleep 63612->63614 63613->63521 63613->63607 63613->63608 63613->63618 63614->63531 63615 6c88f7c0 63615->63612 63616 6c88b009 63620 6ca0a133 std::_Facet_Register 4 API calls 63616->63620 63617 6c88aff0 63619 6ca0a133 std::_Facet_Register 4 API calls 63617->63619 63618->63538 63618->63616 63618->63617 63621 6c88afa0 _Yarn 63618->63621 63619->63621 63620->63621 63756 6ca09050 63621->63756 63623->63605 63623->63606 63623->63611 63624 6c88b059 std::ios_base::_Ios_base_dtor _strlen 63624->63521 63625 6c88b42c 63624->63625 63626 6c88b443 63624->63626 63629 6c88b3da _Yarn _strlen 63624->63629 63627 6ca0a133 std::_Facet_Register 4 API calls 63625->63627 63628 6ca0a133 std::_Facet_Register 4 API calls 63626->63628 63627->63629 63628->63629 63629->63538 63630 6c88b79e 63629->63630 63631 6c88b7b7 63629->63631 63634 6c88b751 _Yarn 63629->63634 63632 6ca0a133 std::_Facet_Register 4 API calls 63630->63632 63633 6ca0a133 std::_Facet_Register 4 API calls 63631->63633 63632->63634 63633->63634 63635 6ca09050 104 API calls 63634->63635 63636 6c88b804 std::ios_base::_Ios_base_dtor _strlen 63635->63636 63636->63521 63637 6c88bc0f 63636->63637 63638 6c88bc26 63636->63638 63641 6c88bbbd _Yarn _strlen 63636->63641 63639 6ca0a133 std::_Facet_Register 4 API calls 63637->63639 63640 6ca0a133 std::_Facet_Register 4 API calls 63638->63640 63639->63641 63640->63641 63641->63538 63642 6c88c08e 63641->63642 63643 6c88c075 63641->63643 63646 6c88c028 _Yarn 63641->63646 63645 6ca0a133 std::_Facet_Register 4 API calls 63642->63645 63644 6ca0a133 std::_Facet_Register 4 API calls 63643->63644 63644->63646 63645->63646 63647 6ca09050 104 API calls 63646->63647 63652 6c88c0db std::ios_base::_Ios_base_dtor _strlen 63647->63652 63648 6c88c7bc 63651 6ca0a133 std::_Facet_Register 4 API calls 63648->63651 63649 6c88c7a5 63650 6ca0a133 std::_Facet_Register 4 API calls 63649->63650 63659 6c88c753 _Yarn _strlen 63650->63659 63651->63659 63652->63521 63652->63648 63652->63649 63652->63659 63653 6c88d3ed 63655 6ca0a133 std::_Facet_Register 4 API calls 63653->63655 63654 6c88d406 63656 6ca0a133 std::_Facet_Register 4 API calls 63654->63656 63657 6c88d39a _Yarn 63655->63657 63656->63657 63658 6ca09050 104 API calls 63657->63658 63660 6c88d458 std::ios_base::_Ios_base_dtor _strlen 63658->63660 63659->63538 63659->63653 63659->63654 63659->63657 63665 6c88cb2f 63659->63665 63660->63521 63661 6c88d8bb 63660->63661 63662 6c88d8a4 63660->63662 63666 6c88d852 _Yarn _strlen 63660->63666 63664 6ca0a133 std::_Facet_Register 4 API calls 63661->63664 63663 6ca0a133 std::_Facet_Register 4 API calls 63662->63663 63663->63666 63664->63666 63666->63538 63667 6c88dccf 63666->63667 63668 6c88dcb6 63666->63668 63671 6c88dc69 _Yarn 63666->63671 63669 6ca0a133 std::_Facet_Register 4 API calls 63667->63669 63670 6ca0a133 std::_Facet_Register 4 API calls 63668->63670 63669->63671 63670->63671 63672 6ca09050 104 API calls 63671->63672 63674 6c88dd1c std::ios_base::_Ios_base_dtor 63672->63674 63673 6ca086e0 4 API calls 63673->63605 63674->63521 63674->63673 63677 6ca0a138 63675->63677 63676 6ca0a152 63676->63519 63677->63676 63680 6ca0a154 std::_Facet_Register 63677->63680 63784 6ca12704 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 63677->63784 63679 6ca0afb3 std::_Facet_Register 63788 6ca0ca69 RaiseException 63679->63788 63680->63679 63785 6ca0ca69 RaiseException 63680->63785 63683 6ca0b7ac IsProcessorFeaturePresent 63688 6ca0b7d1 63683->63688 63684 6ca0af73 63786 6ca0ca69 RaiseException 63684->63786 63686 6ca0af93 std::invalid_argument::invalid_argument 63787 6ca0ca69 RaiseException 63686->63787 63688->63519 63690 6c9fe0a6 FindFirstFileA 63689->63690 63691 6c9fe0a4 63689->63691 63692 6c9fe0e0 63690->63692 63691->63690 63693 6c9fe13c 63692->63693 63694 6c9fe0e2 FindClose 63692->63694 63693->63525 63694->63692 63696 6ca08846 63695->63696 63697 6ca088be OpenServiceA 63696->63697 63698 6ca08922 63696->63698 63697->63696 63698->63571 63703 6c9f0893 _Yarn __wsopen_s std::locale::_Setgloballocale _strlen 63699->63703 63700 6c9f4e71 CloseHandle 63700->63703 63701 6c9f3bd1 CloseHandle 63701->63703 63702 6c8937cb 63706 6ca09450 GetCurrentProcess OpenProcessToken LookupPrivilegeValueW AdjustTokenPrivileges NtInitiatePowerAction 63702->63706 63703->63700 63703->63701 63703->63702 63705 6c9dcea0 WriteFile ReadFile WriteFile WriteFile 63703->63705 63789 6c9dc390 63703->63789 63705->63703 63706->63537 63708 6c8a6bd5 63707->63708 63800 6c8d2020 63708->63800 63710 6c8a6c68 63711 6ca0a133 std::_Facet_Register 4 API calls 63710->63711 63712 6c8a6ca0 63711->63712 63817 6ca0aa17 63712->63817 63714 6c8a6cb4 63829 6c8d1d90 63714->63829 63717 6c8a6d8e 63717->63581 63719 6c8a6dc8 63837 6c8d26e0 24 API calls 4 library calls 63719->63837 63721 6c8a6dda 63838 6ca0ca69 RaiseException 63721->63838 63723 6c8a6def 63839 6c8ce010 67 API calls 63723->63839 63725 6c8a6e0f 63725->63581 63727 6c8a6e9f 63726->63727 63730 6c8a6eb3 63727->63730 64229 6c8d3560 32 API calls std::_Xinvalid_argument 63727->64229 63733 6c8a6f5b 63730->63733 64231 6c8d2250 30 API calls 63730->64231 64232 6c8d26e0 24 API calls 4 library calls 63730->64232 64233 6ca0ca69 RaiseException 63730->64233 63732 6c8a6f6e 63732->63581 63733->63732 64230 6c8d37e0 32 API calls std::_Xinvalid_argument 63733->64230 63737 6c8a709e 63736->63737 63740 6c8a70d1 63736->63740 64234 6c8d01f0 63737->64234 63738 6c8a7183 63738->63571 63740->63738 64238 6c8d2250 30 API calls 63740->64238 63743 6ca14208 67 API calls 63743->63740 63744 6c8a71ae 64239 6c8d2340 24 API calls 63744->64239 63746 6c8a71be 64240 6ca0ca69 RaiseException 63746->64240 63748 6c8a71c9 63749->63571 63750->63565 63752 6ca08770 63751->63752 63753 6ca087b0 WaitForSingleObject CloseHandle CloseHandle 63752->63753 63754 6ca087a4 63752->63754 63753->63752 63754->63574 63755->63590 63757 6ca090a7 63756->63757 64286 6ca096e0 63757->64286 63759 6ca090b8 63760 6c8a6ba0 104 API calls 63759->63760 63767 6ca090dc 63760->63767 63761 6ca09157 64338 6c8ce010 67 API calls 63761->64338 63763 6ca0918f std::ios_base::_Ios_base_dtor 64339 6c8ce010 67 API calls 63763->64339 63766 6ca09144 64323 6ca09280 63766->64323 63767->63761 63767->63766 64305 6ca09a30 63767->64305 64313 6c8e3010 63767->64313 63768 6ca091d2 std::ios_base::_Ios_base_dtor 63768->63624 63771 6ca0914c 63772 6c8a7090 77 API calls 63771->63772 63772->63761 63773->63615 63777 6ca08966 std::locale::_Setgloballocale 63774->63777 63775 6ca08a64 Process32NextW 63775->63777 63776 6ca08a14 CloseHandle 63776->63777 63777->63775 63777->63776 63778 6ca08a96 63777->63778 63779 6ca08a45 Process32FirstW 63777->63779 63778->63544 63779->63777 63780->63561 63781->63581 63783->63542 63784->63677 63785->63684 63786->63686 63787->63679 63788->63683 63790 6c9dc3a3 _Yarn __wsopen_s std::locale::_Setgloballocale 63789->63790 63791 6c9dce3c 63790->63791 63792 6c9dcab9 CreateFileA 63790->63792 63794 6c9db4d0 63790->63794 63791->63703 63792->63790 63796 6c9db4e3 __wsopen_s std::locale::_Setgloballocale 63794->63796 63795 6c9dc206 WriteFile 63795->63796 63796->63795 63797 6c9db619 WriteFile 63796->63797 63798 6c9dc377 63796->63798 63799 6c9dbc23 ReadFile 63796->63799 63797->63796 63798->63790 63799->63796 63801 6ca0a133 std::_Facet_Register 4 API calls 63800->63801 63802 6c8d207e 63801->63802 63803 6ca0aa17 43 API calls 63802->63803 63804 6c8d2092 63803->63804 63840 6c8d2f60 42 API calls 4 library calls 63804->63840 63806 6c8d20c8 63807 6c8d210d 63806->63807 63808 6c8d2136 63806->63808 63809 6c8d2120 63807->63809 63841 6ca0a67e 9 API calls 2 library calls 63807->63841 63842 6c8d2250 30 API calls 63808->63842 63809->63710 63812 6c8d215b 63843 6c8d2340 24 API calls 63812->63843 63814 6c8d2171 63844 6ca0ca69 RaiseException 63814->63844 63816 6c8d217c 63816->63710 63818 6ca0aa23 __EH_prolog3 63817->63818 63845 6ca0a5a5 63818->63845 63823 6ca0aa41 63859 6ca0aaaa 39 API calls std::locale::_Setgloballocale 63823->63859 63824 6ca0aa9c 63824->63714 63826 6ca0aa49 63860 6ca0a8a1 HeapFree GetLastError _Yarn ___std_exception_destroy 63826->63860 63828 6ca0aa5f 63851 6ca0a5d6 63828->63851 63830 6c8d1ddc 63829->63830 63831 6c8a6d5d 63829->63831 63865 6ca0ab37 63830->63865 63831->63717 63836 6c8d2250 30 API calls 63831->63836 63835 6c8d1e82 63836->63719 63837->63721 63838->63723 63839->63725 63840->63806 63841->63809 63842->63812 63843->63814 63844->63816 63846 6ca0a5b4 63845->63846 63847 6ca0a5bb 63845->63847 63861 6ca13abd 6 API calls std::_Lockit::_Lockit 63846->63861 63849 6ca0a5b9 63847->63849 63862 6ca0bc7b EnterCriticalSection 63847->63862 63849->63828 63858 6ca0a920 6 API calls 2 library calls 63849->63858 63852 6ca0a5e0 63851->63852 63853 6ca13acb 63851->63853 63854 6ca0a5f3 63852->63854 63863 6ca0bc89 LeaveCriticalSection 63852->63863 63864 6ca13aa6 LeaveCriticalSection 63853->63864 63854->63824 63857 6ca13ad2 63857->63824 63858->63823 63859->63826 63860->63828 63861->63849 63862->63849 63863->63854 63864->63857 63866 6ca0ab40 63865->63866 63868 6c8d1dea 63866->63868 63874 6ca1343a 63866->63874 63868->63831 63873 6ca0fc53 18 API calls __fassign 63868->63873 63869 6ca0ab8c 63869->63868 63885 6ca13148 65 API calls 63869->63885 63871 6ca0aba7 63871->63868 63886 6ca14208 63871->63886 63873->63835 63876 6ca13445 __wsopen_s 63874->63876 63875 6ca13458 63911 6ca13810 18 API calls __fassign 63875->63911 63876->63875 63877 6ca13478 63876->63877 63879 6ca13468 63877->63879 63897 6ca1e4fc 63877->63897 63879->63869 63885->63871 63887 6ca14214 __wsopen_s 63886->63887 63888 6ca1421e 63887->63888 63889 6ca14233 63887->63889 64107 6ca13810 18 API calls __fassign 63888->64107 63894 6ca1422e 63889->63894 64092 6ca0fc99 EnterCriticalSection 63889->64092 63892 6ca14250 64093 6ca1428c 63892->64093 63894->63868 63895 6ca1425b 64108 6ca14282 LeaveCriticalSection 63895->64108 63898 6ca1e508 __wsopen_s 63897->63898 63913 6ca13a8f EnterCriticalSection 63898->63913 63900 6ca1e516 63914 6ca1e5a0 63900->63914 63905 6ca1e662 63906 6ca1e781 63905->63906 63938 6ca1e804 63906->63938 63909 6ca134bc 63912 6ca134e5 LeaveCriticalSection 63909->63912 63911->63879 63912->63879 63913->63900 63922 6ca1e5c3 63914->63922 63915 6ca1e523 63928 6ca1e55c 63915->63928 63916 6ca1e61b 63933 6ca1a8d5 EnterCriticalSection LeaveCriticalSection HeapAlloc __Getctype std::_Facet_Register 63916->63933 63918 6ca1e624 63934 6ca17eab HeapFree GetLastError __dosmaperr 63918->63934 63921 6ca1e62d 63921->63915 63935 6ca1a30f 6 API calls std::_Lockit::_Lockit 63921->63935 63922->63915 63922->63916 63922->63922 63931 6ca0fc99 EnterCriticalSection 63922->63931 63932 6ca0fcad LeaveCriticalSection 63922->63932 63924 6ca1e64c 63936 6ca0fc99 EnterCriticalSection 63924->63936 63927 6ca1e65f 63927->63915 63937 6ca13aa6 LeaveCriticalSection 63928->63937 63930 6ca13493 63930->63879 63930->63905 63931->63922 63932->63922 63933->63918 63934->63921 63935->63924 63936->63927 63937->63930 63939 6ca1e823 63938->63939 63940 6ca1e836 63939->63940 63942 6ca1e84b 63939->63942 63954 6ca13810 18 API calls __fassign 63940->63954 63944 6ca1e96b 63942->63944 63955 6ca27598 37 API calls __fassign 63942->63955 63943 6ca1e797 63943->63909 63951 6ca276ce 63943->63951 63944->63943 63958 6ca13810 18 API calls __fassign 63944->63958 63947 6ca1e9bb 63947->63944 63956 6ca27598 37 API calls __fassign 63947->63956 63949 6ca1e9d9 63949->63944 63957 6ca27598 37 API calls __fassign 63949->63957 63959 6ca27a86 63951->63959 63954->63943 63955->63947 63956->63949 63957->63944 63958->63943 63960 6ca27a92 __wsopen_s 63959->63960 63961 6ca27a99 63960->63961 63962 6ca27ac4 63960->63962 63977 6ca13810 18 API calls __fassign 63961->63977 63968 6ca276ee 63962->63968 63967 6ca276e9 63967->63909 63979 6ca13dbb 63968->63979 63973 6ca27724 63975 6ca27756 63973->63975 64019 6ca17eab HeapFree GetLastError __dosmaperr 63973->64019 63978 6ca27b1b LeaveCriticalSection __wsopen_s 63975->63978 63977->63967 63978->63967 64020 6ca0f3db 63979->64020 63981 6ca13ddf 63984 6ca0f4e6 63981->63984 64029 6ca0f53e 63984->64029 63986 6ca0f4fe 63986->63973 63987 6ca2775c 63986->63987 64044 6ca27bdc 63987->64044 63993 6ca2778e __dosmaperr 63993->63973 63994 6ca27882 GetFileType 63996 6ca2788d GetLastError 63994->63996 64000 6ca278d4 63994->64000 63995 6ca27857 GetLastError 63995->63993 64073 6ca130e2 __dosmaperr 63996->64073 63997 6ca27805 63997->63994 63997->63995 64072 6ca27b47 CreateFileW 63997->64072 63999 6ca2789b CloseHandle 63999->63993 64002 6ca278c4 63999->64002 64074 6ca24ea0 SetStdHandle __dosmaperr __wsopen_s 64000->64074 64002->63993 64004 6ca2784a 64004->63994 64004->63995 64005 6ca278f5 64006 6ca27941 64005->64006 64075 6ca27d56 70 API calls 2 library calls 64005->64075 64010 6ca27948 64006->64010 64089 6ca27e00 70 API calls 2 library calls 64006->64089 64009 6ca27976 64009->64010 64011 6ca27984 64009->64011 64076 6ca1f015 64010->64076 64011->63993 64013 6ca27a00 CloseHandle 64011->64013 64090 6ca27b47 CreateFileW 64013->64090 64015 6ca27a2b 64015->64002 64016 6ca27a35 GetLastError 64015->64016 64017 6ca27a41 __dosmaperr 64016->64017 64091 6ca24e0f SetStdHandle __dosmaperr __wsopen_s 64017->64091 64019->63975 64021 6ca0f3fb 64020->64021 64027 6ca0f3f2 64020->64027 64022 6ca180a2 __Getctype 37 API calls 64021->64022 64021->64027 64023 6ca0f41b 64022->64023 64024 6ca18618 __Getctype 37 API calls 64023->64024 64025 6ca0f431 64024->64025 64026 6ca18645 __fassign 37 API calls 64025->64026 64026->64027 64027->63981 64028 6ca1a0c5 5 API calls std::_Lockit::_Lockit 64027->64028 64028->63981 64030 6ca0f566 64029->64030 64031 6ca0f54c 64029->64031 64032 6ca0f58c 64030->64032 64033 6ca0f56d 64030->64033 64034 6ca0f4cc __wsopen_s HeapFree GetLastError 64031->64034 64035 6ca17f33 __fassign MultiByteToWideChar 64032->64035 64036 6ca0f556 __dosmaperr 64033->64036 64037 6ca0f48d __wsopen_s HeapFree GetLastError 64033->64037 64034->64036 64039 6ca0f59b 64035->64039 64036->63986 64037->64036 64038 6ca0f5a2 GetLastError 64038->64036 64039->64038 64040 6ca0f5c8 64039->64040 64041 6ca0f48d __wsopen_s HeapFree GetLastError 64039->64041 64040->64036 64042 6ca17f33 __fassign MultiByteToWideChar 64040->64042 64041->64040 64043 6ca0f5df 64042->64043 64043->64036 64043->64038 64045 6ca27c17 64044->64045 64047 6ca27bfd 64044->64047 64046 6ca27b6c __wsopen_s 18 API calls 64045->64046 64051 6ca27c4f 64046->64051 64047->64045 64048 6ca13810 __fassign 18 API calls 64047->64048 64048->64045 64049 6ca27c7e 64050 6ca29001 __wsopen_s 18 API calls 64049->64050 64055 6ca27779 64049->64055 64052 6ca27ccc 64050->64052 64051->64049 64054 6ca13810 __fassign 18 API calls 64051->64054 64053 6ca27d49 64052->64053 64052->64055 64056 6ca1383d __Getctype 11 API calls 64053->64056 64054->64049 64055->63993 64058 6ca24cfc 64055->64058 64057 6ca27d55 64056->64057 64059 6ca24d08 __wsopen_s 64058->64059 64060 6ca13a8f std::_Lockit::_Lockit EnterCriticalSection 64059->64060 64061 6ca24d0f 64060->64061 64063 6ca24d34 64061->64063 64067 6ca24da3 EnterCriticalSection 64061->64067 64070 6ca24d56 64061->64070 64062 6ca24e06 __wsopen_s LeaveCriticalSection 64065 6ca24d76 64062->64065 64064 6ca24f32 __wsopen_s 11 API calls 64063->64064 64066 6ca24d39 64064->64066 64065->63993 64071 6ca27b47 CreateFileW 64065->64071 64068 6ca25080 __wsopen_s EnterCriticalSection 64066->64068 64066->64070 64069 6ca24db0 LeaveCriticalSection 64067->64069 64067->64070 64068->64070 64069->64061 64070->64062 64071->63997 64072->64004 64073->63999 64074->64005 64075->64006 64077 6ca24c92 __wsopen_s 18 API calls 64076->64077 64080 6ca1f025 64077->64080 64078 6ca1f02b 64079 6ca24e0f __wsopen_s SetStdHandle 64078->64079 64088 6ca1f083 __dosmaperr 64079->64088 64080->64078 64081 6ca1f05d 64080->64081 64083 6ca24c92 __wsopen_s 18 API calls 64080->64083 64081->64078 64082 6ca24c92 __wsopen_s 18 API calls 64081->64082 64084 6ca1f069 CloseHandle 64082->64084 64085 6ca1f054 64083->64085 64084->64078 64086 6ca1f075 GetLastError 64084->64086 64087 6ca24c92 __wsopen_s 18 API calls 64085->64087 64086->64078 64087->64081 64088->63993 64089->64009 64090->64015 64091->64002 64092->63892 64094 6ca14299 64093->64094 64095 6ca142ae 64093->64095 64131 6ca13810 18 API calls __fassign 64094->64131 64098 6ca142a9 64095->64098 64109 6ca143a9 64095->64109 64098->63895 64103 6ca142d1 64124 6ca1ef88 64103->64124 64105 6ca142d7 64105->64098 64132 6ca17eab HeapFree GetLastError __dosmaperr 64105->64132 64107->63894 64108->63894 64110 6ca143c1 64109->64110 64111 6ca142c3 64109->64111 64110->64111 64112 6ca1d350 18 API calls 64110->64112 64115 6ca1be2e 64111->64115 64113 6ca143df 64112->64113 64133 6ca1f25c 64113->64133 64116 6ca1be45 64115->64116 64118 6ca142cb 64115->64118 64116->64118 64216 6ca17eab HeapFree GetLastError __dosmaperr 64116->64216 64119 6ca1d350 64118->64119 64120 6ca1d371 64119->64120 64121 6ca1d35c 64119->64121 64120->64103 64217 6ca13810 18 API calls __fassign 64121->64217 64123 6ca1d36c 64123->64103 64125 6ca1ef99 __dosmaperr 64124->64125 64126 6ca1efae 64124->64126 64125->64105 64127 6ca1eff7 __dosmaperr 64126->64127 64128 6ca1efd5 64126->64128 64226 6ca13810 18 API calls __fassign 64127->64226 64218 6ca1f0b1 64128->64218 64131->64098 64132->64098 64134 6ca1f268 __wsopen_s 64133->64134 64135 6ca1f2ba 64134->64135 64137 6ca1f323 __dosmaperr 64134->64137 64140 6ca1f270 __dosmaperr 64134->64140 64144 6ca25080 EnterCriticalSection 64135->64144 64174 6ca13810 18 API calls __fassign 64137->64174 64138 6ca1f2c0 64142 6ca1f2dc __dosmaperr 64138->64142 64145 6ca1f34e 64138->64145 64140->64111 64173 6ca1f31b LeaveCriticalSection __wsopen_s 64142->64173 64144->64138 64146 6ca1f370 64145->64146 64172 6ca1f38c __dosmaperr 64145->64172 64147 6ca1f3c4 64146->64147 64149 6ca1f374 __dosmaperr 64146->64149 64148 6ca1f3d7 64147->64148 64183 6ca1e359 20 API calls __wsopen_s 64147->64183 64175 6ca1f530 64148->64175 64182 6ca13810 18 API calls __fassign 64149->64182 64154 6ca1f3ed 64158 6ca1f3f1 64154->64158 64159 6ca1f416 64154->64159 64155 6ca1f42c 64156 6ca1f440 64155->64156 64157 6ca1f485 WriteFile 64155->64157 64160 6ca1f475 64156->64160 64161 6ca1f44b 64156->64161 64162 6ca1f4a9 GetLastError 64157->64162 64157->64172 64158->64172 64184 6ca1f94b 6 API calls __wsopen_s 64158->64184 64185 6ca1f5a1 43 API calls 5 library calls 64159->64185 64188 6ca1f9b3 7 API calls 2 library calls 64160->64188 64164 6ca1f450 64161->64164 64165 6ca1f465 64161->64165 64162->64172 64168 6ca1f455 64164->64168 64164->64172 64187 6ca1fb77 8 API calls 3 library calls 64165->64187 64186 6ca1fa8e 7 API calls 2 library calls 64168->64186 64170 6ca1f463 64170->64172 64172->64142 64173->64140 64174->64140 64176 6ca250d5 __wsopen_s 18 API calls 64175->64176 64178 6ca1f541 64176->64178 64177 6ca1f3e8 64177->64154 64177->64155 64178->64177 64189 6ca180a2 GetLastError 64178->64189 64181 6ca1f57e GetConsoleMode 64181->64177 64182->64172 64183->64148 64184->64172 64185->64172 64186->64170 64187->64170 64188->64170 64190 6ca180bf 64189->64190 64191 6ca180b9 64189->64191 64193 6ca1a252 __Getctype 6 API calls 64190->64193 64195 6ca180c5 SetLastError 64190->64195 64192 6ca1a213 __Getctype 6 API calls 64191->64192 64192->64190 64194 6ca180dd 64193->64194 64194->64195 64196 6ca180e1 64194->64196 64200 6ca18153 64195->64200 64201 6ca18159 64195->64201 64197 6ca1a8d5 __Getctype EnterCriticalSection LeaveCriticalSection HeapAlloc 64196->64197 64199 6ca180ed 64197->64199 64202 6ca180f5 64199->64202 64203 6ca1810c 64199->64203 64200->64177 64200->64181 64204 6ca141b9 __Getctype 35 API calls 64201->64204 64206 6ca1a252 __Getctype 6 API calls 64202->64206 64205 6ca1a252 __Getctype 6 API calls 64203->64205 64208 6ca1815e 64204->64208 64209 6ca18118 64205->64209 64207 6ca18103 64206->64207 64212 6ca17eab _free HeapFree GetLastError 64207->64212 64210 6ca1812d 64209->64210 64211 6ca1811c 64209->64211 64215 6ca17eab _free HeapFree GetLastError 64210->64215 64213 6ca1a252 __Getctype 6 API calls 64211->64213 64214 6ca18109 64212->64214 64213->64207 64214->64195 64215->64214 64216->64118 64217->64123 64219 6ca1f0bd __wsopen_s 64218->64219 64227 6ca25080 EnterCriticalSection 64219->64227 64221 6ca1f0cb 64222 6ca1f015 __wsopen_s 21 API calls 64221->64222 64223 6ca1f0f8 64221->64223 64222->64223 64228 6ca1f131 LeaveCriticalSection __wsopen_s 64223->64228 64225 6ca1f11a 64225->64125 64226->64125 64227->64221 64228->64225 64229->63730 64230->63732 64231->63730 64232->63730 64233->63730 64235 6c8d022e 64234->64235 64236 6c8a70c4 64235->64236 64241 6ca14ecb 64235->64241 64236->63743 64238->63744 64239->63746 64240->63748 64242 6ca14ef6 64241->64242 64243 6ca14ed9 64241->64243 64242->64235 64243->64242 64244 6ca14ee6 64243->64244 64245 6ca14efa 64243->64245 64257 6ca13810 18 API calls __fassign 64244->64257 64249 6ca150f2 64245->64249 64250 6ca150fe __wsopen_s 64249->64250 64258 6ca0fc99 EnterCriticalSection 64250->64258 64252 6ca1510c 64259 6ca150af 64252->64259 64256 6ca14f2c 64256->64235 64257->64242 64258->64252 64267 6ca1bc96 64259->64267 64265 6ca150e9 64266 6ca15141 LeaveCriticalSection 64265->64266 64266->64256 64268 6ca1d350 18 API calls 64267->64268 64269 6ca1bca7 64268->64269 64270 6ca250d5 __wsopen_s 18 API calls 64269->64270 64272 6ca1bcad __wsopen_s 64270->64272 64271 6ca150c3 64274 6ca14f2e 64271->64274 64272->64271 64284 6ca17eab HeapFree GetLastError __dosmaperr 64272->64284 64276 6ca14f40 64274->64276 64278 6ca14f5e 64274->64278 64275 6ca14f4e 64285 6ca13810 18 API calls __fassign 64275->64285 64276->64275 64276->64278 64281 6ca14f76 _Yarn 64276->64281 64283 6ca1bd49 62 API calls 64278->64283 64279 6ca143a9 62 API calls 64279->64281 64280 6ca1d350 18 API calls 64280->64281 64281->64278 64281->64279 64281->64280 64282 6ca1f25c __wsopen_s 62 API calls 64281->64282 64282->64281 64283->64265 64284->64271 64285->64278 64287 6ca09715 64286->64287 64288 6c8d2020 52 API calls 64287->64288 64289 6ca097b6 64288->64289 64290 6ca0a133 std::_Facet_Register 4 API calls 64289->64290 64291 6ca097ee 64290->64291 64292 6ca0aa17 43 API calls 64291->64292 64293 6ca09802 64292->64293 64294 6c8d1d90 89 API calls 64293->64294 64295 6ca098ab 64294->64295 64296 6ca098dc 64295->64296 64340 6c8d2250 30 API calls 64295->64340 64296->63759 64298 6ca09916 64341 6c8d26e0 24 API calls 4 library calls 64298->64341 64300 6ca09928 64342 6ca0ca69 RaiseException 64300->64342 64302 6ca0993d 64343 6c8ce010 67 API calls 64302->64343 64304 6ca0994f 64304->63759 64306 6ca09a7d 64305->64306 64344 6ca09c90 64306->64344 64308 6ca09b6c 64308->63767 64311 6ca09a95 64311->64308 64362 6c8d2250 30 API calls 64311->64362 64363 6c8d26e0 24 API calls 4 library calls 64311->64363 64364 6ca0ca69 RaiseException 64311->64364 64314 6c8e304f 64313->64314 64317 6c8e3063 64314->64317 64373 6c8d3560 32 API calls std::_Xinvalid_argument 64314->64373 64318 6c8e311e 64317->64318 64375 6c8d2250 30 API calls 64317->64375 64376 6c8d26e0 24 API calls 4 library calls 64317->64376 64377 6ca0ca69 RaiseException 64317->64377 64319 6c8e3131 64318->64319 64374 6c8d37e0 32 API calls std::_Xinvalid_argument 64318->64374 64319->63767 64324 6ca0928e 64323->64324 64328 6ca092c1 64323->64328 64325 6c8d01f0 64 API calls 64324->64325 64327 6ca092b4 64325->64327 64326 6ca09373 64326->63771 64329 6ca14208 67 API calls 64327->64329 64328->64326 64378 6c8d2250 30 API calls 64328->64378 64329->64328 64331 6ca0939e 64379 6c8d2340 24 API calls 64331->64379 64333 6ca093ae 64380 6ca0ca69 RaiseException 64333->64380 64335 6ca093b9 64381 6c8ce010 67 API calls 64335->64381 64337 6ca09412 std::ios_base::_Ios_base_dtor 64337->63771 64338->63763 64339->63768 64340->64298 64341->64300 64342->64302 64343->64304 64345 6ca09cf8 64344->64345 64346 6ca09ccc 64344->64346 64352 6ca09d09 64345->64352 64365 6c8d3560 32 API calls std::_Xinvalid_argument 64345->64365 64360 6ca09cf1 64346->64360 64367 6c8d2250 30 API calls 64346->64367 64349 6ca09ed8 64368 6c8d2340 24 API calls 64349->64368 64351 6ca09ee7 64369 6ca0ca69 RaiseException 64351->64369 64352->64360 64366 6c8d2f60 42 API calls 4 library calls 64352->64366 64356 6ca09f17 64371 6c8d2340 24 API calls 64356->64371 64358 6ca09f2d 64372 6ca0ca69 RaiseException 64358->64372 64360->64311 64361 6ca09d43 64361->64360 64370 6c8d2250 30 API calls 64361->64370 64362->64311 64363->64311 64364->64311 64365->64352 64366->64361 64367->64349 64368->64351 64369->64361 64370->64356 64371->64358 64372->64360 64373->64317 64374->64319 64375->64317 64376->64317 64377->64317 64378->64331 64379->64333 64380->64335 64381->64337 64382 6ca1262f 64383 6ca1263b __wsopen_s 64382->64383 64384 6ca12642 GetLastError ExitThread 64383->64384 64385 6ca1264f 64383->64385 64386 6ca180a2 __Getctype 37 API calls 64385->64386 64387 6ca12654 64386->64387 64394 6ca1d456 64387->64394 64390 6ca1266b 64400 6ca1259a 16 API calls 2 library calls 64390->64400 64393 6ca1268d 64395 6ca1265f 64394->64395 64396 6ca1d468 GetPEB 64394->64396 64395->64390 64399 6ca1a45f 5 API calls std::_Lockit::_Lockit 64395->64399 64396->64395 64397 6ca1d47b 64396->64397 64401 6ca1a508 5 API calls std::_Lockit::_Lockit 64397->64401 64399->64390 64400->64393 64401->64395

                              Executed Functions

                              Function 6C884754 Relevance: 69.2, APIs: 28, Strings: 1, Instructions: 18471COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: HR^
                              • API String ID: 4218353326-1341859651
                              • Opcode ID: 9ecdeca41864a5c2386e66cc3d6811002ed632fbdecb90960da83e0028e54472
                              • Instruction ID: 0c6774ccd0110b18af888cd8dc82eb536836980f9d613d31c756bef5ebbc38c5
                              • Opcode Fuzzy Hash: 9ecdeca41864a5c2386e66cc3d6811002ed632fbdecb90960da83e0028e54472
                              • Instruction Fuzzy Hash: E174F431645B028FC738CF28C9D0695B7E3EF95318B198E6DC0A68BE95E774B54ACB40
                              Function 6CA08930 Relevance: 6.1, APIs: 4, Instructions: 95processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4604 6ca08930-6ca08964 CreateToolhelp32Snapshot 4605 6ca08980-6ca08989 4604->4605 4606 6ca089d0-6ca089d5 4605->4606 4607 6ca0898b-6ca08990 4605->4607 4610 6ca08a34-6ca08a62 call 6ca0f010 Process32FirstW 4606->4610 4611 6ca089d7-6ca089dc 4606->4611 4608 6ca08992-6ca08997 4607->4608 4609 6ca08a0d-6ca08a12 4607->4609 4612 6ca08966-6ca08973 4608->4612 4613 6ca08999-6ca0899e 4608->4613 4616 6ca08a14-6ca08a2f CloseHandle 4609->4616 4617 6ca08a8b-6ca08a90 4609->4617 4619 6ca08a76-6ca08a86 4610->4619 4614 6ca089e2-6ca089e7 4611->4614 4615 6ca08a64-6ca08a71 Process32NextW 4611->4615 4612->4605 4613->4605 4621 6ca089a0-6ca089ca call 6ca162f5 4613->4621 4614->4605 4622 6ca089e9-6ca08a08 4614->4622 4615->4619 4616->4605 4617->4605 4620 6ca08a96-6ca08aa4 4617->4620 4619->4605 4621->4605 4622->4605
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 6CA0893E
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CreateSnapshotToolhelp32
                              • String ID:
                              • API String ID: 3332741929-0
                              • Opcode ID: a806c3d5c1ae60b006c715ca0dcc4048b50d920cefcf9159c1a655605cec7b0a
                              • Instruction ID: c6476c6f913834ef1cf485ea771a27fd896e3c27b1987e6bfed68946d476d730
                              • Opcode Fuzzy Hash: a806c3d5c1ae60b006c715ca0dcc4048b50d920cefcf9159c1a655605cec7b0a
                              • Instruction Fuzzy Hash: FA318D70309705AFD701AF58D88474EBBE4AF89788F14492EF488E7760D730D8888B57
                              Function 6C883886 Relevance: 3.6, APIs: 2, Instructions: 573COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4877 6c883886-6c88388e 4878 6c883970-6c88397d 4877->4878 4879 6c883894-6c883896 4877->4879 4881 6c88397f-6c883989 4878->4881 4882 6c8839f1-6c8839f8 4878->4882 4879->4878 4880 6c88389c-6c8838b9 4879->4880 4885 6c8838c0-6c8838c1 4880->4885 4881->4880 4886 6c88398f-6c883994 4881->4886 4883 6c8839fe-6c883a03 4882->4883 4884 6c883ab5-6c883aba 4882->4884 4887 6c883a09-6c883a2f 4883->4887 4888 6c8838d2-6c8838d4 4883->4888 4884->4880 4890 6c883ac0-6c883ac7 4884->4890 4889 6c88395e 4885->4889 4891 6c88399a-6c88399f 4886->4891 4892 6c883b16-6c883b18 4886->4892 4893 6c8838f8-6c883955 4887->4893 4894 6c883a35-6c883a3a 4887->4894 4895 6c883957-6c88395c 4888->4895 4896 6c883960-6c883964 4889->4896 4890->4885 4897 6c883acd-6c883ad6 4890->4897 4898 6c88383b-6c883855 call 6c9d2a20 call 6c9d2a30 4891->4898 4899 6c8839a5-6c8839bf 4891->4899 4892->4885 4893->4895 4901 6c883b1d-6c883b22 4894->4901 4902 6c883a40-6c883a57 4894->4902 4895->4889 4904 6c88396a 4896->4904 4905 6c883860-6c883885 4896->4905 4897->4892 4906 6c883ad8-6c883aeb 4897->4906 4898->4905 4900 6c883a5a-6c883a5d 4899->4900 4909 6c883aa9-6c883ab0 4900->4909 4907 6c883b49-6c883b50 4901->4907 4908 6c883b24-6c883b44 4901->4908 4902->4900 4911 6c883ba1-6c883bb6 4904->4911 4905->4877 4906->4893 4912 6c883af1-6c883af8 4906->4912 4907->4885 4915 6c883b56-6c883b5d 4907->4915 4908->4909 4909->4896 4916 6c883bc0-6c883bda call 6c9d2a20 call 6c9d2a30 4911->4916 4918 6c883afa-6c883aff 4912->4918 4919 6c883b62-6c883b85 4912->4919 4915->4896 4928 6c883be0-6c883bfe 4916->4928 4918->4895 4919->4893 4922 6c883b8b 4919->4922 4922->4911 4931 6c883e7b 4928->4931 4932 6c883c04-6c883c11 4928->4932 4935 6c883e81-6c883ee0 call 6c883750 GetCurrentThread NtSetInformationThread 4931->4935 4933 6c883ce0-6c883cea 4932->4933 4934 6c883c17-6c883c20 4932->4934 4939 6c883d3a-6c883d3c 4933->4939 4940 6c883cec-6c883d0c 4933->4940 4936 6c883dc5 4934->4936 4937 6c883c26-6c883c2d 4934->4937 4951 6c883eea-6c883f04 call 6c9d2a20 call 6c9d2a30 4935->4951 4947 6c883dc6 4936->4947 4941 6c883dc3 4937->4941 4942 6c883c33-6c883c3a 4937->4942 4945 6c883d3e-6c883d45 4939->4945 4946 6c883d70-6c883d8d 4939->4946 4944 6c883d90-6c883d95 4940->4944 4941->4936 4949 6c883c40-6c883c5b 4942->4949 4950 6c883e26-6c883e2b 4942->4950 4953 6c883dba-6c883dc1 4944->4953 4954 6c883d97-6c883db8 4944->4954 4952 6c883d50-6c883d57 4945->4952 4946->4944 4948 6c883dc8-6c883dcc 4947->4948 4948->4928 4955 6c883dd2 4948->4955 4956 6c883e1b-6c883e24 4949->4956 4957 6c883c7b-6c883cd0 4950->4957 4958 6c883e31 4950->4958 4971 6c883f75-6c883fa1 4951->4971 4952->4947 4953->4941 4960 6c883dd7-6c883ddc 4953->4960 4954->4936 4963 6c883e76-6c883e79 4955->4963 4956->4948 4956->4963 4957->4952 4958->4916 4961 6c883dde-6c883e17 4960->4961 4962 6c883e36-6c883e3d 4960->4962 4961->4956 4966 6c883e5c-6c883e5f 4962->4966 4967 6c883e3f-6c883e5a 4962->4967 4963->4935 4966->4957 4969 6c883e65-6c883e69 4966->4969 4967->4956 4969->4948 4969->4963 4975 6c884020-6c884026 4971->4975 4976 6c883fa3-6c883fa8 4971->4976 4979 6c88402c-6c88403c 4975->4979 4980 6c883f06-6c883f35 4975->4980 4977 6c88407c-6c884081 4976->4977 4978 6c883fae-6c883fcf 4976->4978 4981 6c8840aa-6c8840ae 4977->4981 4982 6c884083-6c88408a 4977->4982 4978->4981 4984 6c88403e-6c884058 4979->4984 4985 6c8840b3-6c8840b8 4979->4985 4983 6c883f38-6c883f61 4980->4983 4987 6c883f6b-6c883f6f 4981->4987 4982->4983 4988 6c884090 4982->4988 4990 6c883f64-6c883f67 4983->4990 4986 6c88405a-6c884063 4984->4986 4985->4978 4989 6c8840be-6c8840c9 4985->4989 4991 6c884069-6c88406c 4986->4991 4992 6c8840f5-6c88413f 4986->4992 4987->4971 4988->4951 4993 6c8840a7 4988->4993 4989->4981 4994 6c8840cb-6c8840d4 4989->4994 4995 6c883f69 4990->4995 4996 6c884072-6c884077 4991->4996 4997 6c884144-6c88414b 4991->4997 4992->4995 4993->4981 4994->4993 4998 6c8840d6-6c8840f0 4994->4998 4995->4987 4996->4990 4997->4987 4998->4986
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 39f7c465ccf4103a06ab8120a9c78549d84563804352c1a09d1d3166487e3e16
                              • Instruction ID: b1fa04ac7ad16304ab6bc48776abdc80eca2faebf77020ba7d75581dcc2dfb86
                              • Opcode Fuzzy Hash: 39f7c465ccf4103a06ab8120a9c78549d84563804352c1a09d1d3166487e3e16
                              • Instruction Fuzzy Hash: 9332B332246B018FC334CF28C990696B7E3EFD131476A8E6DC0AA5BE55D775B84A8B50
                              Function 6C883A6A Relevance: 3.1, APIs: 2, Instructions: 148threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 46b66de63d88f61374cbd27333ccabe734061dd43d89e82527a5d5f14a8d6a7d
                              • Instruction ID: 78640a0c6c12ec283c60b9e34fb2183d6cad489384934ac82ced13f07cefdce1
                              • Opcode Fuzzy Hash: 46b66de63d88f61374cbd27333ccabe734061dd43d89e82527a5d5f14a8d6a7d
                              • Instruction Fuzzy Hash: AD51D032106B018FC330CF28C980785B7A3BFE1314F6A8E5DC0A61BE91DB74B94A8B51
                              Function 6C8839CF Relevance: 3.1, APIs: 2, Instructions: 139threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CurrentThread
                              • String ID:
                              • API String ID: 2882836952-0
                              • Opcode ID: 21646878dc771f7312279ccbd40b838d03e65884638c4fca35b60d895cd38afa
                              • Instruction ID: cfaaf73dd37f50949238c3b06d8570c24ac1fb385d521b2bf4c0538190e3560d
                              • Opcode Fuzzy Hash: 21646878dc771f7312279ccbd40b838d03e65884638c4fca35b60d895cd38afa
                              • Instruction Fuzzy Hash: 1A51DE32106B018BC330CF28C580796B7A3BFD5314F6A8E5DC0E65BE95DB70B94A8B91
                              Function 6C883D18 Relevance: 3.1, APIs: 2, Instructions: 89threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C883E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C883EAA
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: de44bc887a48bba39557eea52b2be79a94f4fd1ad0c5139589f3dc5fe85bd4d5
                              • Instruction ID: f6811da20ed7edad81732bf2787e9819d40320f8f3033b385d0e5047726f945c
                              • Opcode Fuzzy Hash: de44bc887a48bba39557eea52b2be79a94f4fd1ad0c5139589f3dc5fe85bd4d5
                              • Instruction Fuzzy Hash: B8310232216B058BC330CF24C9947C6B7A2AFA6314F6A8E1CC0A65BE80DB7478098B51
                              Function 6C883D62 Relevance: 3.1, APIs: 2, Instructions: 83threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C883E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C883EAA
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: d4186b9ab1694090ce83bc1f08a6cf22d42b1a9d5289622711a06a437e340e3f
                              • Instruction ID: 1baa23b5fabc0e0fb78974b5b8df2a631930835e3b6f5d88c3d4298df8a2947a
                              • Opcode Fuzzy Hash: d4186b9ab1694090ce83bc1f08a6cf22d42b1a9d5289622711a06a437e340e3f
                              • Instruction Fuzzy Hash: 9E310132116B05CBC734CF28C590796B7A6AFA2304F654E5CC0A65BE81DB7178058B91
                              Function 6CA08810 Relevance: 3.1, APIs: 2, Instructions: 72serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.SECHOST(00000000,00000000,00000001), ref: 6CA08820
                              • OpenServiceA.ADVAPI32(?,?,00000004), ref: 6CA088C5
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Open$ManagerService
                              • String ID:
                              • API String ID: 2351955762-0
                              • Opcode ID: 6fe8e3cbebecbba78c2399b44cf40efbd8394643f02507a91dff7b2da64be58e
                              • Instruction ID: abe88243e075c6c14a83e8e0efb05422a88ded4ea58c1a2f6c707e482982bcaf
                              • Opcode Fuzzy Hash: 6fe8e3cbebecbba78c2399b44cf40efbd8394643f02507a91dff7b2da64be58e
                              • Instruction Fuzzy Hash: 24311874618341AFC7009F29D889A0EBBF0BB99394F54885EF489D7261D371C8888B67
                              Function 6C883C62 Relevance: 3.1, APIs: 2, Instructions: 72threadnativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 6C883E9D
                              • NtSetInformationThread.NTDLL(00000000,00000011,00000000,00000000), ref: 6C883EAA
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Thread$CurrentInformation
                              • String ID:
                              • API String ID: 1650627709-0
                              • Opcode ID: f3e1e5015f9d69210314c6016e4c3fffe37642a8f5e9864478ee3ba1ff77f778
                              • Instruction ID: d54e065a3991e7089f4319c2beabdd13ad4a83f14e870a7f37aaf235ad17c7f7
                              • Opcode Fuzzy Hash: f3e1e5015f9d69210314c6016e4c3fffe37642a8f5e9864478ee3ba1ff77f778
                              • Instruction Fuzzy Hash: 4721063121AB05CFD734CF24C9A4796B7B6AF92304F658E1DC0A65BE80EB75B8058B51
                              Function 6C9FE090 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(?,?), ref: 6C9FE0AC
                              • FindClose.KERNEL32(000000FF), ref: 6C9FE0E2
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: 45703b85dac7cbcde8c90ddc62b57425f3969765765ee8095ce9e8bd618de6c8
                              • Instruction ID: ef9b63ba96ee98b3a792001b07b4526218b2d30f2222c96369108867d2e257b0
                              • Opcode Fuzzy Hash: 45703b85dac7cbcde8c90ddc62b57425f3969765765ee8095ce9e8bd618de6c8
                              • Instruction Fuzzy Hash: 39113A7461C391DFC7108F28C944A5ABBF9AF86314F188D4AF4B8C7790D734D9898B82
                              Function 6CA201C3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3722 6ca201c3-6ca201d3 3723 6ca201d5-6ca201e8 call 6ca130cf call 6ca130bc 3722->3723 3724 6ca201ed-6ca201ef 3722->3724 3740 6ca2056c 3723->3740 3726 6ca20554-6ca20561 call 6ca130cf call 6ca130bc 3724->3726 3727 6ca201f5-6ca201fb 3724->3727 3745 6ca20567 call 6ca13810 3726->3745 3727->3726 3730 6ca20201-6ca20227 3727->3730 3730->3726 3733 6ca2022d-6ca20236 3730->3733 3736 6ca20250-6ca20252 3733->3736 3737 6ca20238-6ca2024b call 6ca130cf call 6ca130bc 3733->3737 3738 6ca20550-6ca20552 3736->3738 3739 6ca20258-6ca2025b 3736->3739 3737->3745 3744 6ca2056f-6ca20572 3738->3744 3739->3738 3743 6ca20261-6ca20265 3739->3743 3740->3744 3743->3737 3747 6ca20267-6ca2027e 3743->3747 3745->3740 3750 6ca20280-6ca20283 3747->3750 3751 6ca202cf-6ca202d5 3747->3751 3753 6ca20293-6ca20299 3750->3753 3754 6ca20285-6ca2028e 3750->3754 3755 6ca202d7-6ca202e1 3751->3755 3756 6ca2029b-6ca202b2 call 6ca130cf call 6ca130bc call 6ca13810 3751->3756 3753->3756 3760 6ca202b7-6ca202ca 3753->3760 3759 6ca20353-6ca20363 3754->3759 3757 6ca202e3-6ca202e5 3755->3757 3758 6ca202e8-6ca20306 call 6ca17ee5 call 6ca17eab * 2 3755->3758 3788 6ca20487 3756->3788 3757->3758 3793 6ca20323-6ca2034c call 6ca1e359 3758->3793 3794 6ca20308-6ca2031e call 6ca130bc call 6ca130cf 3758->3794 3762 6ca20428-6ca20431 call 6ca250d5 3759->3762 3763 6ca20369-6ca20375 3759->3763 3760->3759 3777 6ca20433-6ca20445 3762->3777 3778 6ca204a4 3762->3778 3763->3762 3766 6ca2037b-6ca2037d 3763->3766 3766->3762 3770 6ca20383-6ca203a7 3766->3770 3770->3762 3774 6ca203a9-6ca203bf 3770->3774 3774->3762 3779 6ca203c1-6ca203c3 3774->3779 3777->3778 3783 6ca20447-6ca20456 GetConsoleMode 3777->3783 3781 6ca204a8-6ca204c0 ReadFile 3778->3781 3779->3762 3784 6ca203c5-6ca203eb 3779->3784 3786 6ca204c2-6ca204c8 3781->3786 3787 6ca2051c-6ca20527 GetLastError 3781->3787 3783->3778 3789 6ca20458-6ca2045c 3783->3789 3784->3762 3792 6ca203ed-6ca20403 3784->3792 3786->3787 3797 6ca204ca 3786->3797 3795 6ca20540-6ca20543 3787->3795 3796 6ca20529-6ca2053b call 6ca130bc call 6ca130cf 3787->3796 3791 6ca2048a-6ca20494 call 6ca17eab 3788->3791 3789->3781 3790 6ca2045e-6ca20478 ReadConsoleW 3789->3790 3798 6ca2047a GetLastError 3790->3798 3799 6ca20499-6ca204a2 3790->3799 3791->3744 3792->3762 3803 6ca20405-6ca20407 3792->3803 3793->3759 3794->3788 3800 6ca20480-6ca20486 call 6ca130e2 3795->3800 3801 6ca20549-6ca2054b 3795->3801 3796->3788 3807 6ca204cd-6ca204df 3797->3807 3798->3800 3799->3807 3800->3788 3801->3791 3803->3762 3810 6ca20409-6ca20423 3803->3810 3807->3791 3814 6ca204e1-6ca204e5 3807->3814 3810->3762 3815 6ca204e7-6ca204f7 call 6ca205ee 3814->3815 3816 6ca204fe-6ca20509 3814->3816 3828 6ca204fa-6ca204fc 3815->3828 3822 6ca20515-6ca2051a call 6ca208a6 3816->3822 3823 6ca2050b call 6ca20573 3816->3823 3829 6ca20510-6ca20513 3822->3829 3823->3829 3828->3791 3829->3828
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 868a7a3a867c369fdc9a01f8264abd2fc2f4af26425a331c7f79457a3261b1ae
                              • Instruction ID: 75d4e85af7421f791e9d3505739f9a039a8c6d2c17bead6980f46cd3a21c5005
                              • Opcode Fuzzy Hash: 868a7a3a867c369fdc9a01f8264abd2fc2f4af26425a331c7f79457a3261b1ae
                              • Instruction Fuzzy Hash: CAC12A70E052959FDF05CF98C9A0BADBBB0AF4A314F1C815DE554ABB81C73989C9CB60
                              Function 6CA2775C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3831 6ca2775c-6ca2778c call 6ca27bdc 3834 6ca277a7-6ca277b3 call 6ca24cfc 3831->3834 3835 6ca2778e-6ca27799 call 6ca130cf 3831->3835 3841 6ca277b5-6ca277ca call 6ca130cf call 6ca130bc 3834->3841 3842 6ca277cc-6ca27815 call 6ca27b47 3834->3842 3840 6ca2779b-6ca277a2 call 6ca130bc 3835->3840 3852 6ca27a81-6ca27a85 3840->3852 3841->3840 3850 6ca27882-6ca2788b GetFileType 3842->3850 3851 6ca27817-6ca27820 3842->3851 3856 6ca278d4-6ca278d7 3850->3856 3857 6ca2788d-6ca278be GetLastError call 6ca130e2 CloseHandle 3850->3857 3854 6ca27822-6ca27826 3851->3854 3855 6ca27857-6ca2787d GetLastError call 6ca130e2 3851->3855 3854->3855 3860 6ca27828-6ca27855 call 6ca27b47 3854->3860 3855->3840 3858 6ca278e0-6ca278e6 3856->3858 3859 6ca278d9-6ca278de 3856->3859 3857->3840 3868 6ca278c4-6ca278cf call 6ca130bc 3857->3868 3864 6ca278ea-6ca27938 call 6ca24ea0 3858->3864 3865 6ca278e8 3858->3865 3859->3864 3860->3850 3860->3855 3874 6ca27957-6ca2797f call 6ca27e00 3864->3874 3875 6ca2793a-6ca27946 call 6ca27d56 3864->3875 3865->3864 3868->3840 3880 6ca27981-6ca27982 3874->3880 3881 6ca27984-6ca279c5 3874->3881 3875->3874 3882 6ca27948 3875->3882 3883 6ca2794a-6ca27952 call 6ca1f015 3880->3883 3884 6ca279e6-6ca279f4 3881->3884 3885 6ca279c7-6ca279cb 3881->3885 3882->3883 3883->3852 3888 6ca279fa-6ca279fe 3884->3888 3889 6ca27a7f 3884->3889 3885->3884 3887 6ca279cd-6ca279e1 3885->3887 3887->3884 3888->3889 3891 6ca27a00-6ca27a33 CloseHandle call 6ca27b47 3888->3891 3889->3852 3894 6ca27a67-6ca27a7b 3891->3894 3895 6ca27a35-6ca27a61 GetLastError call 6ca130e2 call 6ca24e0f 3891->3895 3894->3889 3895->3894
                              APIs
                                • Part of subcall function 6CA27B47: CreateFileW.KERNEL32(00000000,00000000,?,6CA27805,?,?,00000000,?,6CA27805,00000000,0000000C), ref: 6CA27B64
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA27870
                              • __dosmaperr.LIBCMT ref: 6CA27877
                              • GetFileType.KERNEL32(00000000), ref: 6CA27883
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6CA2788D
                              • __dosmaperr.LIBCMT ref: 6CA27896
                              • CloseHandle.KERNEL32(00000000), ref: 6CA278B6
                              • CloseHandle.KERNEL32(6CA1E7C0), ref: 6CA27A03
                              • GetLastError.KERNEL32 ref: 6CA27A35
                              • __dosmaperr.LIBCMT ref: 6CA27A3C
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: 8Q
                              • API String ID: 4237864984-4022487301
                              • Opcode ID: 080d3edd83e76e9c79403ae029995f28a32d001d7b06f2e413f1fb9a69c39282
                              • Instruction ID: e752d808381fac2d726d5337abb189d832f1fc6b642da4d6c6af2ea064fcec66
                              • Opcode Fuzzy Hash: 080d3edd83e76e9c79403ae029995f28a32d001d7b06f2e413f1fb9a69c39282
                              • Instruction Fuzzy Hash: D7A13632A041258FCF199F68CC51BAE7BB0AB46328F1C415DE811EF790C7398A8AC751
                              Function 6C9DB4D0 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 834fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNEL32(?,?,00000038,?,00000000), ref: 6C9DB62F
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID: *$,=ym$-=ym$-=ym$B$H
                              • API String ID: 3934441357-3163594065
                              • Opcode ID: 3e04a14c1e131832227ea1cb7ea424d5db61d7e08a7e0548bd03cd685c95b2df
                              • Instruction ID: e9b47d7c3354171f35b3533deccaa9daaa22170a6c337e9770318b44365b0ea3
                              • Opcode Fuzzy Hash: 3e04a14c1e131832227ea1cb7ea424d5db61d7e08a7e0548bd03cd685c95b2df
                              • Instruction Fuzzy Hash: FF7299B06197858FCB14CF28C49065EBBF1AF99304F198E1EE499DBB50E734E8858B53
                              Function 6C884200 Relevance: 9.0, APIs: 3, Strings: 1, Instructions: 2005COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: ;T55
                              • API String ID: 0-2572755013
                              • Opcode ID: 40e0ff5b14e0e1dfdfef86ef39a5744a6c1a8d54099783041ddfe77a752e9262
                              • Instruction ID: eea310ef76fa9b21a03792e07b99419bbe13d49d22ed5f8b0eefb36fde623d48
                              • Opcode Fuzzy Hash: 40e0ff5b14e0e1dfdfef86ef39a5744a6c1a8d54099783041ddfe77a752e9262
                              • Instruction Fuzzy Hash: E703C231645B018FC738CF2CC9D0696B7E2AFE5328719CE6DC0A64BA95DB74B44ACB50
                              Function 6CA086E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62processsynchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4469 6ca086e0-6ca08767 CreateProcessA 4470 6ca0878b-6ca08794 4469->4470 4471 6ca087b0-6ca087fa WaitForSingleObject CloseHandle * 2 4470->4471 4472 6ca08796-6ca0879b 4470->4472 4471->4470 4473 6ca08770-6ca08783 4472->4473 4474 6ca0879d-6ca087a2 4472->4474 4473->4470 4474->4470 4475 6ca087a4-6ca08807 4474->4475
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CloseHandle$CreateObjectProcessSingleWait
                              • String ID: D
                              • API String ID: 2059082233-2746444292
                              • Opcode ID: a39e829c4b631a21add245f9933b6748c043888a94d9c817328db882d718ea07
                              • Instruction ID: ebb94b3296f9b9fea7a5508aaebb424029d3aad355df3c39ee8ea64ae30d1f6f
                              • Opcode Fuzzy Hash: a39e829c4b631a21add245f9933b6748c043888a94d9c817328db882d718ea07
                              • Instruction Fuzzy Hash: 8631FEB09083808FD740DF28D18471ABBF0AB99358F105A1EF899973A0D7B499C48B47
                              Function 6CA1F34E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 177fileCOMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4477 6ca1f34e-6ca1f36a 4478 6ca1f370-6ca1f372 4477->4478 4479 6ca1f529 4477->4479 4480 6ca1f394-6ca1f3b5 4478->4480 4481 6ca1f374-6ca1f387 call 6ca130cf call 6ca130bc call 6ca13810 4478->4481 4482 6ca1f52b-6ca1f52f 4479->4482 4484 6ca1f3b7-6ca1f3ba 4480->4484 4485 6ca1f3bc-6ca1f3c2 4480->4485 4499 6ca1f38c-6ca1f38f 4481->4499 4484->4485 4486 6ca1f3c4-6ca1f3c9 4484->4486 4485->4481 4485->4486 4488 6ca1f3cb-6ca1f3d7 call 6ca1e359 4486->4488 4489 6ca1f3da-6ca1f3eb call 6ca1f530 4486->4489 4488->4489 4497 6ca1f3ed-6ca1f3ef 4489->4497 4498 6ca1f42c-6ca1f43e 4489->4498 4502 6ca1f3f1-6ca1f3f9 4497->4502 4503 6ca1f416-6ca1f422 call 6ca1f5a1 4497->4503 4500 6ca1f440-6ca1f449 4498->4500 4501 6ca1f485-6ca1f4a7 WriteFile 4498->4501 4499->4482 4504 6ca1f475-6ca1f483 call 6ca1f9b3 4500->4504 4505 6ca1f44b-6ca1f44e 4500->4505 4508 6ca1f4b2 4501->4508 4509 6ca1f4a9-6ca1f4af GetLastError 4501->4509 4506 6ca1f4bb-6ca1f4be 4502->4506 4507 6ca1f3ff-6ca1f40c call 6ca1f94b 4502->4507 4517 6ca1f427-6ca1f42a 4503->4517 4504->4517 4513 6ca1f450-6ca1f453 4505->4513 4514 6ca1f465-6ca1f473 call 6ca1fb77 4505->4514 4512 6ca1f4c1-6ca1f4c6 4506->4512 4518 6ca1f40f-6ca1f411 4507->4518 4511 6ca1f4b5-6ca1f4ba 4508->4511 4509->4508 4511->4506 4519 6ca1f524-6ca1f527 4512->4519 4520 6ca1f4c8-6ca1f4cd 4512->4520 4513->4512 4521 6ca1f455-6ca1f463 call 6ca1fa8e 4513->4521 4514->4517 4517->4518 4518->4511 4519->4482 4525 6ca1f4f9-6ca1f505 4520->4525 4526 6ca1f4cf-6ca1f4d4 4520->4526 4521->4517 4532 6ca1f507-6ca1f50a 4525->4532 4533 6ca1f50c-6ca1f51f call 6ca130bc call 6ca130cf 4525->4533 4529 6ca1f4d6-6ca1f4e8 call 6ca130bc call 6ca130cf 4526->4529 4530 6ca1f4ed-6ca1f4f4 call 6ca130e2 4526->4530 4529->4499 4530->4499 4532->4479 4532->4533 4533->4499
                              APIs
                                • Part of subcall function 6CA1F5A1: GetConsoleCP.KERNEL32(?,6CA1E7C0,?), ref: 6CA1F5E9
                              • WriteFile.KERNEL32(?,?,6CA27DDC,00000000,00000000,?,00000000,00000000,6CA291A6,00000000,00000000,?,00000000,6CA1E7C0,6CA27DDC,00000000), ref: 6CA1F49F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA27DDC,6CA1E7C0,00000000,?,?,?,?,00000000,?), ref: 6CA1F4A9
                              • __dosmaperr.LIBCMT ref: 6CA1F4EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ConsoleErrorFileLastWrite__dosmaperr
                              • String ID: 8Q
                              • API String ID: 251514795-4022487301
                              • Opcode ID: 00db07909963a0bee369f89082487d722eea55f81cbdfc50a00d273c3028953b
                              • Instruction ID: 734258b2af841dc5854cf776afecf4cebaf3dca3082e7c599d9b55666cd9e0e5
                              • Opcode Fuzzy Hash: 00db07909963a0bee369f89082487d722eea55f81cbdfc50a00d273c3028953b
                              • Instruction Fuzzy Hash: 0E510871A0959AAFDF00CFA5CD40BDE7BB8EF09358F180559D510ABE41D734D9C987A0
                              Function 6CA09280 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4544 6ca09280-6ca0928c 4545 6ca092cd 4544->4545 4546 6ca0928e-6ca09299 4544->4546 4549 6ca092cf-6ca09347 4545->4549 4547 6ca0929b-6ca092ad 4546->4547 4548 6ca092af-6ca092bc call 6c8d01f0 call 6ca14208 4546->4548 4547->4548 4558 6ca092c1-6ca092cb 4548->4558 4551 6ca09373-6ca09379 4549->4551 4552 6ca09349-6ca09371 4549->4552 4552->4551 4554 6ca0937a-6ca09439 call 6c8d2250 call 6c8d2340 call 6ca0ca69 call 6c8ce010 call 6ca0a778 4552->4554 4558->4549
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA09421
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 323602529-1866435925
                              • Opcode ID: fa89869cf01ef72a8206ad3a500434b3815ad412db0ad70e537d0f135fe5a971
                              • Instruction ID: 20d2c5c824976da2fee5586d40af7096f29da2611e12fdc189ed2972bdd25332
                              • Opcode Fuzzy Hash: fa89869cf01ef72a8206ad3a500434b3815ad412db0ad70e537d0f135fe5a971
                              • Instruction Fuzzy Hash: 485134B5600B008FD725CF29C595B97BBF1BB49318F048A2DD8868BB90D775B94ACF90
                              Function 6C9DCEA0 Relevance: 6.2, APIs: 4, Instructions: 187fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4567 6c9dcea0-6c9dcf03 call 6ca0a260 4570 6c9dcf40-6c9dcf49 4567->4570 4571 6c9dcf4b-6c9dcf50 4570->4571 4572 6c9dcf90-6c9dcf95 4570->4572 4575 6c9dcf56-6c9dcf5b 4571->4575 4576 6c9dd000-6c9dd005 4571->4576 4573 6c9dcf9b-6c9dcfa0 4572->4573 4574 6c9dd030-6c9dd035 4572->4574 4577 6c9dcf05-6c9dcf21 WriteFile 4573->4577 4578 6c9dcfa6-6c9dcfab 4573->4578 4581 6c9dd17d-6c9dd191 4574->4581 4582 6c9dd03b-6c9dd040 4574->4582 4583 6c9dd065-6c9dd08c 4575->4583 4584 6c9dcf61-6c9dcf66 4575->4584 4579 6c9dd00b-6c9dd010 4576->4579 4580 6c9dd125-6c9dd158 call 6ca0ea90 4576->4580 4592 6c9dcf30 4577->4592 4589 6c9dd0af-6c9dd120 WriteFile 4578->4589 4590 6c9dcfb1-6c9dcfb6 4578->4590 4593 6c9dd15d-6c9dd175 4579->4593 4594 6c9dd016-6c9dd01b 4579->4594 4580->4570 4591 6c9dd195-6c9dd1a2 4581->4591 4595 6c9dd1a7-6c9dd1ac 4582->4595 4596 6c9dd046-6c9dd060 4582->4596 4587 6c9dcf33-6c9dcf38 4583->4587 4585 6c9dcf6c-6c9dcf71 4584->4585 4586 6c9dd091-6c9dd0aa WriteFile 4584->4586 4585->4570 4597 6c9dcf73-6c9dcf86 4585->4597 4586->4592 4587->4570 4589->4592 4590->4570 4599 6c9dcfb8-6c9dcfee call 6ca0f010 ReadFile 4590->4599 4591->4570 4592->4587 4593->4581 4594->4570 4601 6c9dd021-6c9dd02b 4594->4601 4595->4570 4600 6c9dd1b2-6c9dd1c0 4595->4600 4596->4591 4597->4587 4599->4592 4601->4592
                              APIs
                              • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6C9DCFE1
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: d3a41f2f439f1ff01033e4eb85d66b97456e15ca8ebd709656797e1e9947b532
                              • Instruction ID: 5e3647964619ca18b7b50501b237b8f9bbef43a3f43b5ab20d91dcd2046f6f06
                              • Opcode Fuzzy Hash: d3a41f2f439f1ff01033e4eb85d66b97456e15ca8ebd709656797e1e9947b532
                              • Instruction Fuzzy Hash: 0E714BB0208740AFD700DF19C884B9ABBE8FF89708F51892EF494D7650D775E9948F92
                              Function 6C9DC390 Relevance: 5.9, APIs: 1, Strings: 2, Instructions: 631COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4626 6c9dc390-6c9dc406 call 6ca0a260 call 6ca0f010 4631 6c9dc426-6c9dc42f 4626->4631 4632 6c9dc431-6c9dc436 4631->4632 4633 6c9dc490-6c9dc495 4631->4633 4636 6c9dc43c-6c9dc441 4632->4636 4637 6c9dc500-6c9dc505 4632->4637 4634 6c9dc49b-6c9dc4a0 4633->4634 4635 6c9dc570-6c9dc575 4633->4635 4640 6c9dc638-6c9dc63d 4634->4640 4641 6c9dc4a6-6c9dc4ab 4634->4641 4642 6c9dc57b-6c9dc580 4635->4642 4643 6c9dc6d6-6c9dc6db 4635->4643 4644 6c9dc5bf-6c9dc5c4 4636->4644 4645 6c9dc447-6c9dc44c 4636->4645 4638 6c9dc679-6c9dc67e 4637->4638 4639 6c9dc50b-6c9dc510 4637->4639 4652 6c9dc684-6c9dc689 4638->4652 4653 6c9dc8e2-6c9dc8e7 4638->4653 4648 6c9dc7de-6c9dc7e3 4639->4648 4649 6c9dc516-6c9dc51b 4639->4649 4650 6c9dc8ab-6c9dc8b0 4640->4650 4651 6c9dc643-6c9dc648 4640->4651 4654 6c9dc796-6c9dc79b 4641->4654 4655 6c9dc4b1-6c9dc4b6 4641->4655 4656 6c9dc586-6c9dc58b 4642->4656 4657 6c9dc830-6c9dc835 4642->4657 4658 6c9dc6e1-6c9dc6e6 4643->4658 4659 6c9dc912-6c9dc917 4643->4659 4660 6c9dc5ca-6c9dc5cf 4644->4660 4661 6c9dc863-6c9dc868 4644->4661 4646 6c9dc742-6c9dc747 4645->4646 4647 6c9dc452-6c9dc457 4645->4647 4680 6c9dc74d-6c9dc752 4646->4680 4681 6c9dcca3-6c9dccba 4646->4681 4664 6c9dc93d-6c9dc95b 4647->4664 4665 6c9dc45d-6c9dc462 4647->4665 4686 6c9dc7e9-6c9dc7ee 4648->4686 4687 6c9dccfa-6c9dcd23 4648->4687 4682 6c9dc521-6c9dc526 4649->4682 4683 6c9dc9a3-6c9dc9b3 4649->4683 4668 6c9dcdda-6c9dcdf1 4650->4668 4669 6c9dc8b6-6c9dc8bb 4650->4669 4666 6c9dc64e-6c9dc653 4651->4666 4667 6c9dcb08-6c9dcb34 4651->4667 4672 6c9dc68f-6c9dc694 4652->4672 4673 6c9dcb61-6c9dcb85 4652->4673 4670 6c9dc8ed-6c9dc8f2 4653->4670 4671 6c9dcdf9-6c9dce12 4653->4671 4684 6c9dc408-6c9dc418 4654->4684 4685 6c9dc7a1-6c9dc7a6 4654->4685 4674 6c9dc4bc-6c9dc4c1 4655->4674 4675 6c9dc97a-6c9dc984 4655->4675 4688 6c9dc9fe-6c9dca3a 4656->4688 4689 6c9dc591-6c9dc596 4656->4689 4690 6c9dcd6c-6c9dcd88 4657->4690 4691 6c9dc83b-6c9dc840 4657->4691 4678 6c9dc6ec-6c9dc6f1 4658->4678 4679 6c9dcc12-6c9dcc4d call 6ca0f010 call 6c9db4d0 4658->4679 4676 6c9dc91d-6c9dc922 4659->4676 4677 6c9dce1a-6c9dce29 4659->4677 4692 6c9dc5d5-6c9dc5da 4660->4692 4693 6c9dca71-6c9dca9b call 6ca0ea90 4660->4693 4662 6c9dc86e-6c9dc873 4661->4662 4663 6c9dcdb7-6c9dcdbf 4661->4663 4694 6c9dc879-6c9dc8a6 4662->4694 4695 6c9dce31-6c9dce36 4662->4695 4721 6c9dcdc4-6c9dcdd5 4663->4721 4703 6c9dcd8a-6c9dcd98 4664->4703 4696 6c9dc468-6c9dc46d 4665->4696 4697 6c9dc960-6c9dc975 4665->4697 4712 6c9dcb39-6c9dcb5c 4666->4712 4713 6c9dc659-6c9dc65e 4666->4713 4667->4631 4668->4671 4669->4631 4698 6c9dc8c1-6c9dc8dd 4669->4698 4670->4631 4699 6c9dc8f8-6c9dc90d 4670->4699 4671->4677 4714 6c9dcb8a-6c9dcc0d 4672->4714 4715 6c9dc69a-6c9dc69f 4672->4715 4673->4631 4700 6c9dc989-6c9dc99e 4674->4700 4701 6c9dc4c7-6c9dc4cc 4674->4701 4675->4631 4676->4631 4702 6c9dc928-6c9dc938 4676->4702 4677->4695 4717 6c9dcc77-6c9dcc88 4678->4717 4718 6c9dc6f7-6c9dc6fc 4678->4718 4752 6c9dcc52-6c9dcc72 4679->4752 4719 6c9dccc9-6c9dccd8 4680->4719 4720 6c9dc758-6c9dc75d 4680->4720 4716 6c9dccbc-6c9dccc4 4681->4716 4704 6c9dc9bd-6c9dc9c5 4682->4704 4705 6c9dc52c-6c9dc531 4682->4705 4683->4704 4726 6c9dc41d 4684->4726 4722 6c9dc7ac-6c9dc7b1 4685->4722 4723 6c9dcce0-6c9dccf5 4685->4723 4724 6c9dcd28-6c9dcd67 4686->4724 4725 6c9dc7f4-6c9dc7f9 4686->4725 4687->4631 4708 6c9dca43-6c9dca6c 4688->4708 4707 6c9dc59c-6c9dc5a1 4689->4707 4689->4708 4690->4703 4727 6c9dcd9d-6c9dcdad 4691->4727 4728 6c9dc846-6c9dc84b 4691->4728 4709 6c9dcaa0-6c9dcb03 call 6c9dce50 CreateFileA 4692->4709 4710 6c9dc5e0-6c9dc5e5 4692->4710 4693->4631 4694->4631 4695->4631 4746 6c9dce3c-6c9dce47 4695->4746 4696->4631 4729 6c9dc46f-6c9dc483 4696->4729 4697->4631 4730 6c9dcc8d-6c9dcc9e 4698->4730 4699->4631 4732 6c9dc420-6c9dc424 4700->4732 4701->4631 4731 6c9dc4d2-6c9dc4fa call 6c9d2a20 call 6c9d2a30 4701->4731 4702->4721 4703->4631 4733 6c9dc9ca-6c9dc9f9 4704->4733 4705->4631 4734 6c9dc537-6c9dc561 4705->4734 4707->4631 4736 6c9dc5a7-6c9dc5ba 4707->4736 4708->4631 4709->4631 4710->4631 4738 6c9dc5eb-6c9dc633 4710->4738 4712->4631 4713->4631 4740 6c9dc664-6c9dc674 4713->4740 4714->4631 4715->4631 4741 6c9dc6a5-6c9dc6d1 4715->4741 4716->4631 4717->4730 4718->4631 4742 6c9dc702-6c9dc73d 4718->4742 4719->4723 4720->4631 4743 6c9dc763-6c9dc791 4720->4743 4721->4631 4722->4631 4744 6c9dc7b7-6c9dc7d9 4722->4744 4723->4726 4724->4631 4725->4631 4745 6c9dc7ff-6c9dc82b 4725->4745 4726->4732 4727->4663 4728->4631 4747 6c9dc851-6c9dc85e 4728->4747 4729->4721 4730->4631 4731->4631 4732->4631 4733->4631 4734->4631 4736->4631 4738->4631 4740->4733 4741->4631 4742->4631 4743->4716 4744->4703 4745->4631 4747->4733 4752->4631
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @*Z$@*Z
                              • API String ID: 0-2842812045
                              • Opcode ID: ab790f8380408995587536559ce060a501905a2bbcbf2225e5f01dad00b90909
                              • Instruction ID: 83bb267ef4fd10c6ab5c41b09acff0afd91bbb191900a4c03492e758f33f22d0
                              • Opcode Fuzzy Hash: ab790f8380408995587536559ce060a501905a2bbcbf2225e5f01dad00b90909
                              • Instruction Fuzzy Hash: C94277706097428FCB14DF68D48166ABBE1AF89318F258D6EF49AE7761D330E945CB03
                              Function 6CA1F015 Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 4755 6ca1f015-6ca1f029 call 6ca24c92 4758 6ca1f02b-6ca1f02d 4755->4758 4759 6ca1f02f-6ca1f037 4755->4759 4760 6ca1f07d-6ca1f09d call 6ca24e0f 4758->4760 4761 6ca1f042-6ca1f045 4759->4761 4762 6ca1f039-6ca1f040 4759->4762 4771 6ca1f0ab 4760->4771 4772 6ca1f09f-6ca1f0a9 call 6ca130e2 4760->4772 4765 6ca1f063-6ca1f073 call 6ca24c92 CloseHandle 4761->4765 4766 6ca1f047-6ca1f04b 4761->4766 4762->4761 4764 6ca1f04d-6ca1f061 call 6ca24c92 * 2 4762->4764 4764->4758 4764->4765 4765->4758 4774 6ca1f075-6ca1f07b GetLastError 4765->4774 4766->4764 4766->4765 4776 6ca1f0ad-6ca1f0b0 4771->4776 4772->4776 4774->4760
                              APIs
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,6CA2794F), ref: 6CA1F06B
                              • GetLastError.KERNEL32(?,00000000,?,6CA2794F), ref: 6CA1F075
                              • __dosmaperr.LIBCMT ref: 6CA1F0A0
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID:
                              • API String ID: 2583163307-0
                              • Opcode ID: 74f30c3851cf379b5dabc6a7db375fe036d09f92b240a0b53ae73b8e2e1a634c
                              • Instruction ID: c5d559eba6b30410c0596adedf7b26832f56c8aad2cd433a7ebc98c7e2dd47cb
                              • Opcode Fuzzy Hash: 74f30c3851cf379b5dabc6a7db375fe036d09f92b240a0b53ae73b8e2e1a634c
                              • Instruction Fuzzy Hash: 4801043370D6B01ED31416399E94BAE27694B8373CF2D865DE9188BEC1FF6988C94290
                              Function 6CA1428C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 5000 6ca1428c-6ca14297 5001 6ca14299-6ca142ac call 6ca130bc call 6ca13810 5000->5001 5002 6ca142ae-6ca142bb 5000->5002 5013 6ca14300-6ca14302 5001->5013 5003 6ca142f6-6ca142ff call 6ca1e565 5002->5003 5004 6ca142bd-6ca142d2 call 6ca143a9 call 6ca1be2e call 6ca1d350 call 6ca1ef88 5002->5004 5003->5013 5019 6ca142d7-6ca142dc 5004->5019 5020 6ca142e3-6ca142e7 5019->5020 5021 6ca142de-6ca142e1 5019->5021 5020->5003 5022 6ca142e9-6ca142f5 call 6ca17eab 5020->5022 5021->5003 5022->5003
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: 8Q
                              • API String ID: 0-4022487301
                              • Opcode ID: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction ID: 586704e3c5b559ad5ce6df5560df3a38f7a5e7591628969fbcf564a0a50d0a45
                              • Opcode Fuzzy Hash: 0eceabb69cc212cdc16fe4ea4eed4d534fb07063be66ce5869ee3001f537518c
                              • Instruction Fuzzy Hash: 7AF0F43690D6205AD7315A3DDD04BCB32A88F4233CF280B15E92497EC0DB30D4CE8AE1
                              Function 6CA09050 Relevance: 3.1, APIs: 2, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA091A4
                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 6CA091E4
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Ios_base_dtorstd::ios_base::_
                              • String ID:
                              • API String ID: 323602529-0
                              • Opcode ID: c2c975ecf8795625947b1f4de379d2194be5fc0412f7040d328e731b403a07bc
                              • Instruction ID: 3090b8b490943da127d1238622825dc5dc2c2d7f50f132d548013fddc766d6b7
                              • Opcode Fuzzy Hash: c2c975ecf8795625947b1f4de379d2194be5fc0412f7040d328e731b403a07bc
                              • Instruction Fuzzy Hash: 55514971201B00DBE725CF29D985BD6B7F4BB09718F448A1CD4AA47BA1DB31F989CB81
                              Function 6CA1262F Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(6CA39DD0,0000000C), ref: 6CA12642
                              • ExitThread.KERNEL32 ref: 6CA12649
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorExitLastThread
                              • String ID:
                              • API String ID: 1611280651-0
                              • Opcode ID: 3c8831114cd12edf70d88716e83b4a2a40870793e200b098abef4db0db5a806f
                              • Instruction ID: 01d5026e392aa1d55fb4e50d0afde9aa54543731f4fbb5350f6c40c2a2e833f1
                              • Opcode Fuzzy Hash: 3c8831114cd12edf70d88716e83b4a2a40870793e200b098abef4db0db5a806f
                              • Instruction Fuzzy Hash: 9BF0FF30A08208AFDB049F70CA4DAAE3B74FF42204F184609E005A7F90DB309889CBA0
                              Function 6CA1E662 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __wsopen_s
                              • String ID:
                              • API String ID: 3347428461-0
                              • Opcode ID: 028c8f08164d31a73a6f82b0864f70302fca748d2accde6e69eb022e04575819
                              • Instruction ID: b93d1058655cf176ae6e9cd587b5b1cbc835e62588ba89e36362d8e7f2908d45
                              • Opcode Fuzzy Hash: 028c8f08164d31a73a6f82b0864f70302fca748d2accde6e69eb022e04575819
                              • Instruction Fuzzy Hash: 72116A75A0420AAFCB05CF58E948D9B7BF8EF48304F144069F804AB701D670E915CBA4
                              Function 6CA276EE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction ID: 42d5bb228d694a17d11533e7d9b5c358ad4631ef8124e18f5ec5bad18befb7e9
                              • Opcode Fuzzy Hash: be7da6dea50fa55462c2689bd82912a63b2abf68e9cf5535eb42c5cf9c623313
                              • Instruction Fuzzy Hash: E3014472C01159AFCF019FA8CD019EE7FB5AF08214F184565ED64E2550E7358A68DB91
                              Function 6CA27B47 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000000,?,6CA27805,?,?,00000000,?,6CA27805,00000000,0000000C), ref: 6CA27B64
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: ca61657e5a5b60fe57acbe35d2d2b6b82e1b8706fcc6ff1f5a5c4a6e98721df9
                              • Instruction ID: 81c98a3319e922ed65bea58ea803802954e00f88bac52a0331ff2d719d415652
                              • Opcode Fuzzy Hash: ca61657e5a5b60fe57acbe35d2d2b6b82e1b8706fcc6ff1f5a5c4a6e98721df9
                              • Instruction Fuzzy Hash: 4CD06C3210024DFBDF128E84DD06EDA3BBAFB48715F018000BA1896020C732E862AB90
                              Function 6C8D83A0 Relevance: 1.5, APIs: 1, Instructions: 1COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction ID: 71ea39fda03c260b96851634b618ab069f19807c3df348ff12418d00f301ac7e
                              • Opcode Fuzzy Hash: a80223a001130716628e74e8086c402ab21fb308a8a87af2905342d4276af0b1
                              • Instruction Fuzzy Hash:

                              Non-executed Functions

                              Function 6CA04860 Relevance: 11.0, APIs: 3, Strings: 1, Instructions: 4048COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID: C
                              • API String ID: 4218353326-4157497815
                              • Opcode ID: dc87bb8bda6793c7fee08cd944a1b9351661d6db7ec904db49e61faacdf2787f
                              • Instruction ID: 95648386302b30b84781228aff0e2759d14b76c86d947b2fb95be3e253784a67
                              • Opcode Fuzzy Hash: dc87bb8bda6793c7fee08cd944a1b9351661d6db7ec904db49e61faacdf2787f
                              • Instruction Fuzzy Hash: C8731371744B018FC728CF29D8D0A96B3F2BF9535871D8A6DC09787A95EB34B58ACB40
                              Function 6CA09450 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31nativeshutdownCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 6CA0945A
                              • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 6CA09466
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 6CA09474
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000), ref: 6CA0949B
                              • NtInitiatePowerAction.NTDLL ref: 6CA094AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ProcessToken$ActionAdjustCurrentInitiateLookupOpenPowerPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3256374457-3733053543
                              • Opcode ID: 0a516303e576c952f926dac0b1bc53f18b5a8a36c06280453ccdfc80fc0afc1c
                              • Instruction ID: 8ff2972ea75193a52d82cf4efae0b30fa030d9c5e46addc3a7d5a660ca350410
                              • Opcode Fuzzy Hash: 0a516303e576c952f926dac0b1bc53f18b5a8a36c06280453ccdfc80fc0afc1c
                              • Instruction Fuzzy Hash: BDF03070745314ABEA40AB28CD0EB9ABBB8EF55701F00451CF986AB1D1D7B069958BA2
                              Function 6C881950 Relevance: 9.3, APIs: 2, Strings: 3, Instructions: 594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: \j`7$\j`7$j
                              • API String ID: 0-3644614255
                              • Opcode ID: a356be0a5ec8f9eae94e62dd0db874b4485f8fe6f960f069a7406a706b5179f2
                              • Instruction ID: d0c86d151c342f6e3ea1fea23c86f5aa1cc1971e91697e42623f379b9850696d
                              • Opcode Fuzzy Hash: a356be0a5ec8f9eae94e62dd0db874b4485f8fe6f960f069a7406a706b5179f2
                              • Instruction Fuzzy Hash: 3242447460A3828FCB24CF68C58065ABBE1BBC9314F244E2EE4A5D7B61D774E845CB53
                              Function 6CA69CE0 Relevance: 5.4, APIs: 1, Strings: 1, Instructions: 1923COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA69CE5
                                • Part of subcall function 6CA3FC2A: __EH_prolog.LIBCMT ref: 6CA3FC2F
                                • Part of subcall function 6CA416A6: __EH_prolog.LIBCMT ref: 6CA416AB
                                • Part of subcall function 6CA69A0E: __EH_prolog.LIBCMT ref: 6CA69A13
                                • Part of subcall function 6CA69837: __EH_prolog.LIBCMT ref: 6CA6983C
                                • Part of subcall function 6CA6D143: __EH_prolog.LIBCMT ref: 6CA6D148
                                • Part of subcall function 6CA6D143: ctype.LIBCPMT ref: 6CA6D16C
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog$ctype
                              • String ID:
                              • API String ID: 1039218491-3916222277
                              • Opcode ID: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction ID: 60eb1ddcab7ce3358551fe4e57c2728208a3f3a0e38382de15fe97515f3bb357
                              • Opcode Fuzzy Hash: 098dff2231b0858f17f8b87dde5ab3f8fadd385b4ae7cbdd9e046d221faa4b6f
                              • Instruction Fuzzy Hash: 8F03BB308012A8DFDF11DFA5CA54BDCBBB1AF15308F248099E449A7A91DB749ECDDB21
                              Function 6CA13871 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CA13969
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CA13973
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CA13980
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: e7ece88668714f5cb6aa2d3c1aceb76f3c41b55c6f9703c4418091be4b6624c9
                              • Instruction ID: 26afb1c7ec70846a30b4ac17c143e51ab2a8ee2cb38ede3312cb77e31286e45d
                              • Opcode Fuzzy Hash: e7ece88668714f5cb6aa2d3c1aceb76f3c41b55c6f9703c4418091be4b6624c9
                              • Instruction Fuzzy Hash: 4D31B17490122C9BCB61DF64D988BCDBBB8BF08354F5046EAE41CA7650EB709BC58F44
                              Function 6CA1286D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,?,6CA12925,6CA0D339,00000003,00000000,6CA0D339,00000000), ref: 6CA1288F
                              • TerminateProcess.KERNEL32(00000000,?,6CA12925,6CA0D339,00000003,00000000,6CA0D339,00000000), ref: 6CA12896
                              • ExitProcess.KERNEL32 ref: 6CA128A8
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 491c8b7c958ed345a2745c583c3acd758278c3a8ee2b82d6a60da5d3dde74725
                              • Instruction ID: 1aebba8ff0058dac3ae012c517aaf9c02d03abf8ddac77a6a46bc89496281f1f
                              • Opcode Fuzzy Hash: 491c8b7c958ed345a2745c583c3acd758278c3a8ee2b82d6a60da5d3dde74725
                              • Instruction Fuzzy Hash: A3E08C31544208EFCF166F10CE1CA883FB9FF86745B148524F809C6A20CB3AE8C2DB80
                              Function 6CA3BEA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: x=J
                              • API String ID: 3519838083-1497497802
                              • Opcode ID: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction ID: 14d284b4e2ffb36b32ff17c998022f53663bd8e8575c2b290c5b086472b1912f
                              • Opcode Fuzzy Hash: c284c417a2f68c1c742bc951fc924e558872fa0b35763257f7574c1e26c9a400
                              • Instruction Fuzzy Hash: 82910231D002399BCF04EFA8DDA09EDB772AF0630CF24A229D459E7A51DB3199C9CB54
                              Function 6CA0A133 Relevance: 3.3, APIs: 2, Instructions: 302COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 6CA0AFA0
                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CA0B7C3
                                • Part of subcall function 6CA0CA69: RaiseException.KERNEL32(E06D7363,00000001,00000003,6CA0B7AC,00000000,?,?,?,6CA0B7AC,?,6CA3853C), ref: 6CA0CAC9
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ExceptionFeaturePresentProcessorRaisestd::invalid_argument::invalid_argument
                              • String ID:
                              • API String ID: 915016180-0
                              • Opcode ID: 585db3ec446710d961cdc7172708153372cb96659e6b44060eebed14ad436d0a
                              • Instruction ID: 87578b48b100ea21b2b9a04c1495f0bbccecb39376a0233748b297d782161999
                              • Opcode Fuzzy Hash: 585db3ec446710d961cdc7172708153372cb96659e6b44060eebed14ad436d0a
                              • Instruction Fuzzy Hash: EAB1AE71F042089FDF04CF65E98269EBBB5FB59368F24822ED815E7690D3349588CFA0
                              Function 6CA3B972 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @4J$DsL
                              • API String ID: 0-2004129199
                              • Opcode ID: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction ID: 9848fc5da937ccffc22532122a9c71a85f976faabf4642eeb0727ce246d4f9fe
                              • Opcode Fuzzy Hash: 9b82dfd3553fe836d7aa24bd6b5882a619f6ea42a248f1f14d7e615b1deddf65
                              • Instruction Fuzzy Hash: 272191376A4C564BD74CCA28EC33EB92680E744305B89627EE94BCB3D1DF5C9800C648
                              Function 6CA5840A Relevance: 2.3, APIs: 1, Instructions: 760COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA5840F
                                • Part of subcall function 6CA59137: __EH_prolog.LIBCMT ref: 6CA5913C
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction ID: 234452a7105ce321623ac4886089d215721abdb7657c7868f91e290516282c41
                              • Opcode Fuzzy Hash: 8552379c3bb9a98a981715b0c2d56659a9b66d2cd3d1a4f2db75c79318028cc2
                              • Instruction Fuzzy Hash: 4662AC71D51219CFDF15CFA4C990BEEBBB1BF04308F54805AE815ABA80D7749AA9CF90
                              Function 6CAB0AD0 Relevance: 1.9, Strings: 1, Instructions: 669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: YA1
                              • API String ID: 0-613462611
                              • Opcode ID: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction ID: a0df04230d5057fa7456c21e4517a5e5a43c08203495985bd0cce0886bc78321
                              • Opcode Fuzzy Hash: df9d50bcc828b940dfae17b14b827ef815617663f23fa9b0dba43a4edbf83f29
                              • Instruction Fuzzy Hash: A642F4706093818FD315CF28C59069ABBE6FFC9308F184A6DE4D59B742D771D98ACB42
                              Function 6CA43BCA Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aullrem
                              • String ID:
                              • API String ID: 3758378126-0
                              • Opcode ID: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction ID: 860162711efc3873395cef71e3d91795b9147df2c7fd8c7bacf32fbce3a393fe
                              • Opcode Fuzzy Hash: d1b669466a100d6f0f6c84f42758606c7eb5b4ffe16e73214497a835af333093
                              • Instruction Fuzzy Hash: 2051EA71A092459BD710CF5EC4C02EDFBF6EF79214F18C45DE8C897242D27A599AC760
                              Function 6CABCE80 Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction ID: 8cb7abacae24667be255d491c4c00a0fa34b574a9f2933a005c80a739ba08f76
                              • Opcode Fuzzy Hash: acb8407a1b1d291f125d5a9761f4a1fdf91c25411dab1fb78ed15b47a431c268
                              • Instruction Fuzzy Hash: 9702B231A093818BD324CF29C59079EBBE6BFC8318F184A2DE4C5A7759C775D989CB42
                              Function 6CA3F7CF Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: (SL
                              • API String ID: 0-669240678
                              • Opcode ID: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction ID: d8e40c1436555e94ca1966dae932d9b1ee2a3061355bcbf9100f5076043be3b0
                              • Opcode Fuzzy Hash: 403d64dc1b872b29255918294ce527b86f393edeaddcf848938bb8168c435548
                              • Instruction Fuzzy Hash: 92518473E208314AD78CCE24DC21B7572D2E784310F8BC1B99D4BAB6E6DD78A89587D4
                              Function 6CB17A46 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: B
                              • API String ID: 0-1255198513
                              • Opcode ID: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                              • Instruction ID: 5399b48427d8b78ca213858ca658d2028916de1351a70f887a652618bd425e59
                              • Opcode Fuzzy Hash: 26643807f12313c04aaa413d9f20b4c0588d72bb55b68c80837e514dee027d31
                              • Instruction Fuzzy Hash: 553115315087918BD314DF68D884AABB3E2FBD4325F60CA3DD89ACBA94E7745415CF41
                              Function 6CAB3020 Relevance: .8, Instructions: 762COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction ID: 4ec594a988228a68f68f12b3114017dc878d3f49a7ff168ecf2f62030f1ece86
                              • Opcode Fuzzy Hash: 3901934d13cb486671902a8639e4417b1e8cd50483714420dc8c7fa42b5c990c
                              • Instruction Fuzzy Hash: A8526E31209B418BD318CF29C5946AAF7E6BF95308F188A2DD4DAD7B41DB74F889CB41
                              Function 6CACD930 Relevance: .7, Instructions: 740COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction ID: 87a13c3458ba395d77499b9f0e0a6a16f26f0f94e9dea428bb29b25649dbf9ed
                              • Opcode Fuzzy Hash: bb173c08d896bf76c8f12b9495eb2c2eeed1eb95d4f1202fd14126b970d45cbc
                              • Instruction Fuzzy Hash: 3362D1B1A493458FC714CF1AC58061ABBF5BFC8744F288A2EE89997715D770E885CB83
                              Function 6CAB6D50 Relevance: .5, Instructions: 547COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction ID: e69dc72334366751dfc5c85da6c313ae0a5d8282e065e0c6a52a9e7c5e01ec14
                              • Opcode Fuzzy Hash: ae17103ab74f7c7ba27116ddf20acfa1a33030b9793f89cfab32f42cff4eb5f1
                              • Instruction Fuzzy Hash: A112CF712097418FC718CF29C59066AFBE6BFC8304F58892DE896D7B41DB71E889CB61
                              Function 6CAC7AA0 Relevance: .5, Instructions: 474COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction ID: a576659ccb5cef0e1ee2654d3a9dd5522f9deae83591138d6690230fd4ff78ec
                              • Opcode Fuzzy Hash: f4c3878cdf6dda1e5ca36c24f377bc52bcf6993d29949e9196dea34e7f5de905
                              • Instruction Fuzzy Hash: 4502E632B082128BC319CE2DC490269BBF2FBC4355F194B2EE496D7A94D77499C4CB93
                              Function 6CAB2A50 Relevance: .5, Instructions: 453COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction ID: 9d5c6d84bfbe34890e06c866f92545adaacbd74ca9415a254e32e983fcffee30
                              • Opcode Fuzzy Hash: 1d22da7b9f01d20fe9c2b0fcfce1f7ad9ec50e907d9644d55dcb606a953bfaed
                              • Instruction Fuzzy Hash: A7F125316042898BEB24CE28D4547EEBBE1FBC5304F58463ED889DBB41DB35958EC791
                              Function 6CAC25C0 Relevance: .3, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction ID: 57e5fec7c8b886947e5debf3d8871db145e3cd2fb5a11b5348cf29ea705de189
                              • Opcode Fuzzy Hash: 37fe9a4fd3af81bafc73f8bd31f63684d8e342a2009f8b6bc144f44596592570
                              • Instruction Fuzzy Hash: CED142716047128FD318CF1DC4A8236BBE1FF86304F094ABDDAA28B39ADB349555CB52
                              Function 6CB54F0A Relevance: .3, Instructions: 332COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                              • Instruction ID: fa9e0525e99d24c33e41b837c59e7dcde02c8bea7c56a959bd84f40842cdde53
                              • Opcode Fuzzy Hash: b1f756ee2fe841902191c907d409ace29a41e7dd29706095e1f65657f94ace09
                              • Instruction Fuzzy Hash: D7B1C8366087928BD718DE7CD8508BB73E2EBC1320F548A3DE59AC79C4DB35951A8B81
                              Function 6CAB5580 Relevance: .3, Instructions: 316COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction ID: d6442972cbc137a2100fef42b2ce24992c59cd6f1f6055cf725bb044a0bc6d77
                              • Opcode Fuzzy Hash: ae4b2f2b70234ac2bedfdde99fbf7177c16b95a6c2c71cfcccbd0d12063c7eec
                              • Instruction Fuzzy Hash: 21C1E4352047418BC719CF3DD0A02A7BBE6EFDA314F188A6DC4CA4BB55DA30A84ECB55
                              Function 6CAB1810 Relevance: .3, Instructions: 296COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction ID: 3272c711ccdb82eae92055966101df96fe81ea6b06fe9ab191ba1f88653c87a2
                              • Opcode Fuzzy Hash: d6cb5a5b9c3abea019be7d104db6e1742bcc809bf8f8dd5f8f219f0a705516a1
                              • Instruction Fuzzy Hash: 0AB1BF31304B454BD324DF79CA90BEAB7E9AF81308F04492DD6AA97751EF30B98D8790
                              Function 6CAB4AA0 Relevance: .3, Instructions: 291COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction ID: 10cb8be729aca2fdd34823f3a1e2feabf7caf5329f6e623b38596185bad3f50e
                              • Opcode Fuzzy Hash: a42b4b82a53dfb7125c27c391958f90512e79f572afba738efee2a2e68b245a2
                              • Instruction Fuzzy Hash: 82B1AE756087028BC304DF29C8806ABF7E2FFC8304F18892DE599C7715E771A59ACBA5
                              Function 6CABC9F0 Relevance: .3, Instructions: 287COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction ID: d70cd0ac622fe2ae566d70de2cafa91455a7192a90f367f8efe59afb41d79e7f
                              • Opcode Fuzzy Hash: 57f28dc9a1232a8c06b083a4d088c40ef3b8ca8235aec33933a76f5351274b3b
                              • Instruction Fuzzy Hash: 74A1C3726083418FC318DF2DC490A9EBBE5ABD534CF584A2DE4D6E7741D631E98ACB42
                              Function 6CABC6E0 Relevance: .2, Instructions: 223COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction ID: a7f7d37345c6b74a268d5fe91829855a5dfca22ff97d3de563ed67b8662335e5
                              • Opcode Fuzzy Hash: b96a3bfa2f071fda60c0812de3eea8bd7f1a293af8749856eb5c89b36b6714e8
                              • Instruction Fuzzy Hash: 0581C235A047058FC320DF29C080696F7E5FF99718F28CA6DC599AB711E772E986CB81
                              Function 6CB73881 Relevance: .2, Instructions: 184COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                              • Instruction ID: 92c127e5438df9dc9c801e546e2fb84623254b291a2cb08d274bd5f6f7ae14ff
                              • Opcode Fuzzy Hash: 009345f38ae626d469f014b0d0cdef2e0b6b81041916f6b4890b19886bbdf896
                              • Instruction Fuzzy Hash: 6A519936A166124BC70CDA3CD8615E73392EBC6370B59C73EE55AC79D4EB7A940BC600
                              Function 6CA53B66 Relevance: .2, Instructions: 167COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction ID: afe528413bb83d401284645c45d5171b44d95e9dd5bb21cf856118f47c5a50b5
                              • Opcode Fuzzy Hash: e7510d37d1dc4b924ec4f7ba8427fb7a6be5c38a378ebc779dfd7017bf70bacd
                              • Instruction Fuzzy Hash: A651DE72F016099FDB08CE98DD916EDB7F2EB88304F648469D151E7381D7749A85CB40
                              Function 6CBDB06F Relevance: .2, Instructions: 155COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                              • Instruction ID: 6d09d00309c3d26dbddf80d6c538eae885e1406effb40ac4f49ede69e1f9d6ba
                              • Opcode Fuzzy Hash: 9302b36b025ec877457fbbf1a21bafb2f45ab16812df500e0537ae03573401d4
                              • Instruction Fuzzy Hash: 2B51683550C7468BC314DF6CE8409EA73A1AFC5320F618B3EE499CB8D1EB755129CB46
                              Function 6CA55EC9 Relevance: .1, Instructions: 136COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction ID: 5b9244f9c52ae7bb3824da47ab6b5a6b9d77f5f43251f9e06be86fd1153f2f36
                              • Opcode Fuzzy Hash: 72c1d2a683874879174d131ccb4dddd1e2f70cb764b1e7878fe2ff4eea78678e
                              • Instruction Fuzzy Hash: 783114277A440103C70CCD3BCC1279FA1675BD462A79ECF396C05CEF55D52CD8664544
                              Function 6CB8CB30 Relevance: .1, Instructions: 118COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 50cf60c155c313c45761863e2dcf8144c6cae617cdf822c1948384425c35e46c
                              • Instruction ID: adf2d4acf186700d19692b4f3e04723fc454f49f1e0ddff6b435c893de3cf4c6
                              • Opcode Fuzzy Hash: 50cf60c155c313c45761863e2dcf8144c6cae617cdf822c1948384425c35e46c
                              • Instruction Fuzzy Hash: C041AD72A487168FC304DE59EC804FBB3A6EFC8310F904B3D9865871D5D771691AC391
                              Function 6CBE8D12 Relevance: .1, Instructions: 97COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                              • Instruction ID: e7c6ec0a4c0c9641b2900625d819f769aafda99ef901722921616c2c40510f88
                              • Opcode Fuzzy Hash: 098c659f76e41217d8669f6238bf7423f4d33ff929d6c702424d2a71048e67eb
                              • Instruction Fuzzy Hash: 3B316831A147128BD728DA39D4540ABB3E3EFC5318B54CB3DC4568B599EBB5600BCB82
                              Function 6CADC700 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction ID: cd56e4ccad2f351644d7bb3ecf65c55ce3fb4846a6d901bd46cbaf8d21ca0545
                              • Opcode Fuzzy Hash: f18cd9d9e139bd055bb212acf8773c3fe54c7ac8df6eb17b1ef3fe2716829738
                              • Instruction Fuzzy Hash: 2C219077320A0647E74C8A38D83737532D0A705318F98A62DEA6BCE2C2D73AC457C385
                              Function 6CA1D456 Relevance: .0, Instructions: 29COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a04d75093bb9e0153b8133d072894e78b4a05029756335288a69ffe68a1f9a96
                              • Instruction ID: 57fec009c02d6977ba9c7ea28c59a6f246112e932fbc06a0d1ffbaa3d831a7e3
                              • Opcode Fuzzy Hash: a04d75093bb9e0153b8133d072894e78b4a05029756335288a69ffe68a1f9a96
                              • Instruction Fuzzy Hash: F8F0A031A182209BCB12CA49D505B8973B8EB05BA8F1580A6E401ABA40C3B0EE80C7C4
                              Function 6CA1D425 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction ID: 39ffd8408d66f6a7757c351b03fa05366f7c7ca7798e027052406ec135e126ae
                              • Opcode Fuzzy Hash: 1cade3b8bd37eadd8f509832e5cf264ebb44d36771f29a864de074982515b943
                              • Instruction Fuzzy Hash: 11E08C3291A238EBCB12CB89CA04D8AF3ECEB45B54B1105A6F505D3A00C270EE84C7D0
                              Function 6CADA720 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction ID: 9e05890006ab53691081b208441f2a930367a364cbc63c2ba49fa629f8110d5f
                              • Opcode Fuzzy Hash: d8b2ce9af6ca23b39d287f27f794cd19cdb7301d321a8ca7d0b17b1edfa8364a
                              • Instruction Fuzzy Hash: E3C08CA312810017C302EA2598C0BAAF6B37360330F278C2EA0A2F7E43C329D0A48111
                              Function 6CA71B50 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 341COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$p&L$p&L$p&L$p&L$p&L$p&L$p&L$p&L
                              • API String ID: 3519838083-609671
                              • Opcode ID: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction ID: 603fa626b2b2136da5c8a574ead7c42fd2484d93cecaaa069629809ec53fab3d
                              • Opcode Fuzzy Hash: 484af5ae81cb977d174bd25b2e3a21fa57463062f16cd0331cc52001b19bc208
                              • Instruction Fuzzy Hash: 8AD18075A042099FCB21CFA4DAA0AFDB7F5FF45308F24451AE259A3A50DB70D989CB70
                              Function 6CA59798 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 461COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv$H_prolog
                              • String ID: >WJ$x$x
                              • API String ID: 2300968129-3162267903
                              • Opcode ID: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction ID: 32eab21bb52d804d00d3864a83c067079e239e21b22c52cbceaf924e8d7ab06a
                              • Opcode Fuzzy Hash: 949a4121937ebe046e830a9d183576ad129ffcf0ce56193b78953cd7febb835e
                              • Instruction Fuzzy Hash: C2129DB1D00219EFDF10DFA4CA80ADDBBB5FF48318F648169E519AB650C731999ACF50
                              Function 6CA0D1C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 6CA0D1F7
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CA0D1FF
                              • _ValidateLocalCookies.LIBCMT ref: 6CA0D288
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CA0D2B3
                              • _ValidateLocalCookies.LIBCMT ref: 6CA0D308
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: 9e847c9ccb329342862df25aa1ac36299944889aecf9a18fc3a72cba346c30f4
                              • Instruction ID: 5b10eb65bc899b165433b2ac47b5ab3a54397434a7d01228b9daac8a8c6c779b
                              • Opcode Fuzzy Hash: 9e847c9ccb329342862df25aa1ac36299944889aecf9a18fc3a72cba346c30f4
                              • Instruction Fuzzy Hash: FB410935F0121C9BCF00CF68D940ADEBBB5AF4935CF148159E8249BB51D731DA8ACB90
                              Function 6CA1A58A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: api-ms-$ext-ms-
                              • API String ID: 0-537541572
                              • Opcode ID: c8c1fdaca0a13e9c1adcab5a45d494b819f8df39d9c7d0c0ebfec258a6b3a13a
                              • Instruction ID: 26b84a84e35ffbcb1bb70201a86d52a9bde597b102805c171b3910b813e31421
                              • Opcode Fuzzy Hash: c8c1fdaca0a13e9c1adcab5a45d494b819f8df39d9c7d0c0ebfec258a6b3a13a
                              • Instruction Fuzzy Hash: 59212E71E0D321EBDB218A698C44E8B377AAF42774F190611E829E7E81D734DC89C5E4
                              Function 6CA1F5A1 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(?,6CA1E7C0,?), ref: 6CA1F5E9
                              • __fassign.LIBCMT ref: 6CA1F7C8
                              • __fassign.LIBCMT ref: 6CA1F7E5
                              • WriteFile.KERNEL32(?,6CA291A6,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA1F82D
                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CA1F86D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CA1F919
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: FileWrite__fassign$ConsoleErrorLast
                              • String ID:
                              • API String ID: 4031098158-0
                              • Opcode ID: ba365ac70b4b3dc266ea5c823c6c358407f117a70b4438311a6f26c64aa2695e
                              • Instruction ID: a14483a28cf61d6ca161c6e804085d078e36650c952fd468960e68c79c08475e
                              • Opcode Fuzzy Hash: ba365ac70b4b3dc266ea5c823c6c358407f117a70b4438311a6f26c64aa2695e
                              • Instruction Fuzzy Hash: 56D1CD71E052989FCF15CFE8C9809EDBBB5BF49314F28015EE855BBA41D7319986CB10
                              Function 6C8D2F60 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2F95
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2FAF
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D2FD0
                              • __Getctype.LIBCPMT ref: 6C8D3084
                              • std::_Facet_Register.LIBCPMT ref: 6C8D309C
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D30B7
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
                              • String ID:
                              • API String ID: 1102183713-0
                              • Opcode ID: 83ad7956f185026f4da7711d1060b18dbf19c1371f4c4beb4075140360c81116
                              • Instruction ID: e738ecaf185d3fa4d198564386fcd59f238cb6122943bc1a70b12810538d44f6
                              • Opcode Fuzzy Hash: 83ad7956f185026f4da7711d1060b18dbf19c1371f4c4beb4075140360c81116
                              • Instruction Fuzzy Hash: F24179B1E002188FDB20CF88DA54B9EB7B1FF54758F054528D859AB740DB74AD48CB91
                              Function 6CA47FA6 Relevance: 9.1, APIs: 6, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv$__aullrem
                              • String ID:
                              • API String ID: 2022606265-0
                              • Opcode ID: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction ID: b298950445a23a601ec2906d6c918248d2bc1e1d0f5a92051b23cc597b80b844
                              • Opcode Fuzzy Hash: 1f394eef11d621d2b0abd6c005444ee54f283a007719147bbe3c0d60170dbe25
                              • Instruction Fuzzy Hash: B221D530551219FEDF208F95AD40DCF7A7AEF817A9F20C226B520A16D0D2718DD4D7A1
                              Function 6CA4D6EC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA4D6F1
                                • Part of subcall function 6CA5C173: __EH_prolog.LIBCMT ref: 6CA5C178
                              • __EH_prolog.LIBCMT ref: 6CA4D8F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: IJ$WIJ$J
                              • API String ID: 3519838083-740443243
                              • Opcode ID: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction ID: 5b21bd5384f3a027b549eccb430fb99b41bef6ab16d56af05d057d725e617985
                              • Opcode Fuzzy Hash: 6052f957e2ecb8a4b70827f611eacceb93b83a0f35a243b049cc0090dc05215c
                              • Instruction Fuzzy Hash: D171AB30D00254DFDB14DFA4C594BEDB7B0BF19308F1480A9E859ABB91DB74AA8DCB91
                              Function 6CA290FD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6CA291CD
                              • _free.LIBCMT ref: 6CA291F6
                              • SetEndOfFile.KERNEL32(00000000,6CA27DDC,00000000,6CA1E7C0,?,?,?,?,?,?,?,6CA27DDC,6CA1E7C0,00000000), ref: 6CA29228
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,6CA27DDC,6CA1E7C0,00000000,?,?,?,?,00000000,?), ref: 6CA29244
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _free$ErrorFileLast
                              • String ID: 8Q
                              • API String ID: 1547350101-4022487301
                              • Opcode ID: e5fe0d51e3dc4eb8e415e177852d2199a00cd62d8aa6f75b2d3efe5e391f4418
                              • Instruction ID: c7f8057f153fa8772310fb22d51e193ca6d9f079d5a1dd8127e1202f73314c3d
                              • Opcode Fuzzy Hash: e5fe0d51e3dc4eb8e415e177852d2199a00cd62d8aa6f75b2d3efe5e391f4418
                              • Instruction Fuzzy Hash: 9641C132905615AADB119ABACF44BCE37B5AF45728F1C0504E828E7B90EB39C8CD4761
                              Function 6CA180A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000008,?,00000000,6CA1BB43), ref: 6CA180A7
                              • _free.LIBCMT ref: 6CA18104
                              • _free.LIBCMT ref: 6CA1813A
                              • SetLastError.KERNEL32(00000000,00000008,000000FF), ref: 6CA18145
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast_free
                              • String ID:
                              • API String ID: 2283115069-2740779761
                              • Opcode ID: 3a14fd7057a95e75ccc242d081bfe6f89b16ce2f3f74fb495841c923e01790f7
                              • Instruction ID: 976d5957362184fdb3f576b93d45e0df833309f63ff0106a784c00ba8a7a86cd
                              • Opcode Fuzzy Hash: 3a14fd7057a95e75ccc242d081bfe6f89b16ce2f3f74fb495841c923e01790f7
                              • Instruction Fuzzy Hash: B311867234C605AEDB515A758D84DEB267AABC36BC72A072AF524D3ED0DF218CCD4310
                              Function 6CA61418 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA6141D
                                • Part of subcall function 6CA61E40: __EH_prolog.LIBCMT ref: 6CA61E45
                                • Part of subcall function 6CA618EB: __EH_prolog.LIBCMT ref: 6CA618F0
                                • Part of subcall function 6CA61593: __EH_prolog.LIBCMT ref: 6CA61598
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: &qB$0aJ$A0$XqB
                              • API String ID: 3519838083-1326096578
                              • Opcode ID: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction ID: dee77599b5f594814e96ed72c8aad5d53ba0830f630da2d3b0c3060cbc9f6eb1
                              • Opcode Fuzzy Hash: 37b22e6d00aae0832323933771e16052884702a18d16bc22ef1d28b2cb01d7a1
                              • Instruction Fuzzy Hash: 7E21BB70D01268EECB04DBE5DA959ECBBB5AF25308F204129D41673780DB789E8CCB65
                              Function 6CA61234 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 43COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: J$0J$DJ$`J
                              • API String ID: 3519838083-2453737217
                              • Opcode ID: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction ID: 3eac7781bf272382e9277fa00d93e504ec47c8a1a846ab7e224e85fa13f8fac3
                              • Opcode Fuzzy Hash: 94eb96797db7bdd6310de836df89d4e5c2fb6b25f25e237953e0bbd1ee8067ab
                              • Instruction Fuzzy Hash: 7011D3B0900B64CEC720CF5AC56419AFBE4FFA5708B10CA1FC4A687B50D7F8A548CB99
                              Function 6CA1281A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CA128A4,00000000,?,6CA12925,6CA0D339,00000003,00000000), ref: 6CA1282F
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CA12842
                              • FreeLibrary.KERNEL32(00000000,?,?,6CA128A4,00000000,?,6CA12925,6CA0D339,00000003,00000000), ref: 6CA12865
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: be11345aa885d74310e372ea57e7b33172d95bd6db9ffae11d427828336776fd
                              • Instruction ID: 456c3ed3a4be2480e3b4a7df0b1d69cdad4399d637981e0e52964fef30f2116b
                              • Opcode Fuzzy Hash: be11345aa885d74310e372ea57e7b33172d95bd6db9ffae11d427828336776fd
                              • Instruction Fuzzy Hash: 14F05830A15619FBDB119F50CD2DB9EBAB8AB4235AF114164A808E2860DF30CE82DB90
                              Function 6CA0AA17 Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog3.LIBCMT ref: 6CA0AA1E
                              • std::_Lockit::_Lockit.LIBCPMT ref: 6CA0AA29
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 6CA0AA97
                                • Part of subcall function 6CA0A920: std::locale::_Locimp::_Locimp.LIBCPMT ref: 6CA0A938
                              • std::locale::_Setgloballocale.LIBCPMT ref: 6CA0AA44
                              • _Yarn.LIBCPMT ref: 6CA0AA5A
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                              • String ID:
                              • API String ID: 1088826258-0
                              • Opcode ID: 4f7f494ef0379eca4062009789aa827e1aeabdbe8b8d96c2db03af6524a6685f
                              • Instruction ID: 5f60443aca1516ff1e2316ad2263c58674c3adb652b0b17e311efc2b4f27308c
                              • Opcode Fuzzy Hash: 4f7f494ef0379eca4062009789aa827e1aeabdbe8b8d96c2db03af6524a6685f
                              • Instruction Fuzzy Hash: 42017175B001259FDB06DB20EA54ABD7BB6FFA52C8B19404CD80167780DF74AE8ACB91
                              Function 6CA89E3F Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 452COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $!$@
                              • API String ID: 3519838083-2517134481
                              • Opcode ID: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction ID: a292ba53ac707dbcc04a1244448306f05677062da67cb00bd48661f869748048
                              • Opcode Fuzzy Hash: de11a10d9dafd4c65deb6d7f74020d514e490535ea8bbecf2d37e3263791df61
                              • Instruction Fuzzy Hash: 7D126E74906249DFCB04CFA4C690ADDBBB6FF09308F188069E445ABB91DB35AD89CB50
                              Function 6CA55B91 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog__aulldiv
                              • String ID: $SJ
                              • API String ID: 4125985754-3948962906
                              • Opcode ID: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction ID: 59a144f355141f84ccb2395918e9d73439b98500a4088f8a1e22dc7d076e66e4
                              • Opcode Fuzzy Hash: 589161b9174e713d87cd7ea6b7fb48598b4f41844aead815dae59d281551bb28
                              • Instruction Fuzzy Hash: 10B13DB2E01209DFCB14CF99C9809AEBBB1FF48314FA4C52ED456A7B50D730AA95CB50
                              Function 6C8D2020 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 6CA0AA17: __EH_prolog3.LIBCMT ref: 6CA0AA1E
                                • Part of subcall function 6CA0AA17: std::_Lockit::_Lockit.LIBCPMT ref: 6CA0AA29
                                • Part of subcall function 6CA0AA17: std::locale::_Setgloballocale.LIBCPMT ref: 6CA0AA44
                                • Part of subcall function 6CA0AA17: _Yarn.LIBCPMT ref: 6CA0AA5A
                                • Part of subcall function 6CA0AA17: std::_Lockit::~_Lockit.LIBCPMT ref: 6CA0AA97
                                • Part of subcall function 6C8D2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2F95
                                • Part of subcall function 6C8D2F60: std::_Lockit::_Lockit.LIBCPMT ref: 6C8D2FAF
                                • Part of subcall function 6C8D2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D2FD0
                                • Part of subcall function 6C8D2F60: __Getctype.LIBCPMT ref: 6C8D3084
                                • Part of subcall function 6C8D2F60: std::_Facet_Register.LIBCPMT ref: 6C8D309C
                                • Part of subcall function 6C8D2F60: std::_Lockit::~_Lockit.LIBCPMT ref: 6C8D30B7
                              • std::ios_base::_Addstd.LIBCPMT ref: 6C8D211B
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$AddstdFacet_GetctypeH_prolog3RegisterSetgloballocaleYarnstd::ios_base::_std::locale::_
                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                              • API String ID: 3332196525-1866435925
                              • Opcode ID: 7d7cebf932b04a8e608219e883db205276203983f141992ebf70f992244efc19
                              • Instruction ID: f5d69d915c0bb4950d59214f666516e61a5b292d0f5c405d86a850ebf41a3740
                              • Opcode Fuzzy Hash: 7d7cebf932b04a8e608219e883db205276203983f141992ebf70f992244efc19
                              • Instruction Fuzzy Hash: AE41D0B0A003098FDB10CF64D9457AEBBB1FF48318F108668E919AB791E775AD85CB90
                              Function 6CA591D6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $CK$CK
                              • API String ID: 3519838083-2957773085
                              • Opcode ID: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction ID: 71a3f6423050a32ec6186b0293790128be0de180a9272c328a43901d7714e4d5
                              • Opcode Fuzzy Hash: 2704db3354b84918023bfe159d178872147a663a780c49e5ab543107787eea7d
                              • Instruction Fuzzy Hash: 5021B2B0E01205CBCB04DFB9C6801EEB7B6FB94314F94862AC412ABB81C7745A87CA91
                              Function 6CA70584 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$LrJ$x
                              • API String ID: 3519838083-658305261
                              • Opcode ID: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction ID: 15beb060ec7b170bb628e6ec638280919af7f6fb41ac1a143273372cb5e00ffb
                              • Opcode Fuzzy Hash: 4d1a12b996d8cdd79ba2c3eb3f59f6bf691634cc710ec0f5f651f2212a36eb1c
                              • Instruction Fuzzy Hash: FC215E36D011299ACF04DBD8CAA0AEDB7B5FF98308F20015AD405B7640DB765E8CCBA1
                              Function 6CA67EC7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA67ECC
                                • Part of subcall function 6CA5258A: __EH_prolog.LIBCMT ref: 6CA5258F
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :hJ$dJ$xJ
                              • API String ID: 3519838083-2437443688
                              • Opcode ID: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction ID: 7cb2cb9ad44c2a5a0d0c962a7106fb7f761b7dbc185e1229e641e7eefc55b886
                              • Opcode Fuzzy Hash: e3ee415979c90d2d15618e5f431c2d86ccd996bf58f825059be4d34af7dc85d3
                              • Instruction Fuzzy Hash: FA21BAB0811B50CFC760CF6AC15428ABBF4BB29708B50C95EC0AA97B11E7B4A54DCF59
                              Function 6CA1E480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNEL32(00000000,?,00000000,6CA1E7C0,6C8D1DEA,00008000,6CA1E7C0,?,?,?,6CA1E36F,6CA1E7C0,?,00000000,6C8D1DEA), ref: 6CA1E4B9
                              • GetLastError.KERNEL32(?,?,?,6CA1E36F,6CA1E7C0,?,00000000,6C8D1DEA,?,6CA27D8E,6CA1E7C0,000000FF,000000FF,00000002,00008000,6CA1E7C0), ref: 6CA1E4C3
                              • __dosmaperr.LIBCMT ref: 6CA1E4CA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorFileLastPointer__dosmaperr
                              • String ID: 8Q
                              • API String ID: 2336955059-4022487301
                              • Opcode ID: 322e10f234024c082683994d94759a4d1bae8a0ea60d22042e73b8b5b215505b
                              • Instruction ID: 7542bc3db298b158af0aaf7b68c84104cdedcf43e33253525870ac0f09339368
                              • Opcode Fuzzy Hash: 322e10f234024c082683994d94759a4d1bae8a0ea60d22042e73b8b5b215505b
                              • Instruction Fuzzy Hash: F301D832718515AFCB058F5ACD48C9E7B6DEBC633472C4208E811DBE80EB72D99587D0
                              Function 6CA5ED0E Relevance: 6.4, Strings: 5, Instructions: 105COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: <J$DJ$HJ$TJ$]
                              • API String ID: 0-686860805
                              • Opcode ID: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction ID: 386732e100cfbe1430a1a4e923ffde6d25f5cd53047abbf8c589468318aa9adb
                              • Opcode Fuzzy Hash: b82db92acc6f2fd2fd2fd5332bfa7d1e38ecda44958a76cbd211a3f1299ff4ed
                              • Instruction Fuzzy Hash: E241F231D11259AFCF14DFA0D5A08EEB770AF10208BA4C069D46167A50EB3AAADDCB91
                              Function 6CA59331 Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID:
                              • API String ID: 3732870572-0
                              • Opcode ID: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction ID: 0fce2f81afb95cf1cfaba6809a0c56fd94154957e6cff270d4d27220cb66e351
                              • Opcode Fuzzy Hash: 2bdaa92217569021002d8658a142890db49ae38c047720c0e1f220da2750cc6e
                              • Instruction Fuzzy Hash: 6B11A2B6200244BFEB214EA4DD44EEF7BBEEFC9754F04C42DB14156A90C671AC99D760
                              Function 6CA295AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • WriteConsoleW.KERNEL32(00000000,?,6CA27DDC,00000000,00000000,?,6CA28241,00000000,00000001,00000000,6CA1E7C0,?,6CA1F976,?,?,6CA1E7C0), ref: 6CA295C1
                              • GetLastError.KERNEL32(?,6CA28241,00000000,00000001,00000000,6CA1E7C0,?,6CA1F976,?,?,6CA1E7C0,?,6CA1E7C0,?,6CA1F40C,6CA291A6), ref: 6CA295CD
                                • Part of subcall function 6CA2961E: CloseHandle.KERNEL32(FFFFFFFE,6CA295DD,?,6CA28241,00000000,00000001,00000000,6CA1E7C0,?,6CA1F976,?,?,6CA1E7C0,?,6CA1E7C0), ref: 6CA2962E
                              • ___initconout.LIBCMT ref: 6CA295DD
                                • Part of subcall function 6CA295FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CA2959B,6CA2822E,6CA1E7C0,?,6CA1F976,?,?,6CA1E7C0,?), ref: 6CA29612
                              • WriteConsoleW.KERNEL32(00000000,?,6CA27DDC,00000000,?,6CA28241,00000000,00000001,00000000,6CA1E7C0,?,6CA1F976,?,?,6CA1E7C0,?), ref: 6CA295F2
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                              • String ID:
                              • API String ID: 2744216297-0
                              • Opcode ID: de2ab25d02c372ee2730412c61fa69a3165cfd8ad0b9624e9b768555f8642ab8
                              • Instruction ID: 5a77307467d5cf7e7551a755ac67993e43382682273f8f46804358459cf60455
                              • Opcode Fuzzy Hash: de2ab25d02c372ee2730412c61fa69a3165cfd8ad0b9624e9b768555f8642ab8
                              • Instruction Fuzzy Hash: CEF01C36200229BBCF221FA1CD44D893F76FB0ABA1B084010FE09D6620DB3688A4DB91
                              Function 6CA41072 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 398COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA41077
                                • Part of subcall function 6CA40FF5: __EH_prolog.LIBCMT ref: 6CA40FFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: :$\
                              • API String ID: 3519838083-1166558509
                              • Opcode ID: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction ID: 9dc079f261943f0c7513dd7a52c7fda9e3d9f74083ad157dc1f8c067ad198b50
                              • Opcode Fuzzy Hash: 48f4411e2405fcdde49591215dd3ffd545f97566ccde13c94e17e7da02f2e48f
                              • Instruction Fuzzy Hash: 07E1F230900209DACB10DFA8CA90BFDB7B1AF1531CF14C619D956ABA90DB74E9DECB15
                              Function 6CA8D354 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 234COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog__aullrem
                              • String ID: d%K
                              • API String ID: 3415659256-3110269457
                              • Opcode ID: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction ID: 50cdecf95f38d64a3b75900411725313cd1842aa03bd55baef634053e50c4171
                              • Opcode Fuzzy Hash: edd8db3a4067630c511c1f9d0118cc4b792e07b2613ebc31a4b030f5161dda76
                              • Instruction Fuzzy Hash: F681D271E0221A9FDF04CF54C550BDEB7F5AF4434CF28805AE818ABA85D771E989CBA1
                              Function 6CA16814 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog3_
                              • String ID: 8Q
                              • API String ID: 2427045233-4022487301
                              • Opcode ID: 2529d6c1e2a4af1b9a3d6051f2685278de7c4850c2953a7ce045a49eca2f3761
                              • Instruction ID: cc8fa57d6b4d115a4d9a984bb04456a5a8ce8e6fd8f73d6d8c364b195c020855
                              • Opcode Fuzzy Hash: 2529d6c1e2a4af1b9a3d6051f2685278de7c4850c2953a7ce045a49eca2f3761
                              • Instruction Fuzzy Hash: 9F71C67194D21A9BDB108F95C940AEEBAF5EF45318F288219E920E7F80DB7598C5C760
                              Function 6CA66C20 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$hfJ
                              • API String ID: 3519838083-1391159562
                              • Opcode ID: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction ID: 941abdc54ab1385d1052cbcd1affe46bce2edd10960a72440420efc9eff8cd49
                              • Opcode Fuzzy Hash: 82ac28e14911e15d6061b9e8fa7e1011da5464f288955fede779c14a83bf3726
                              • Instruction Fuzzy Hash: 87911770910619EFCB10DFAAC9949DEBBB4FF18308F54452EE459E7A90D770AA88CB11
                              Function 6CA5BC58 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 6CA5BC5D
                                • Part of subcall function 6CA5A61A: __EH_prolog.LIBCMT ref: 6CA5A61F
                                • Part of subcall function 6CA5AA2E: __EH_prolog.LIBCMT ref: 6CA5AA33
                                • Part of subcall function 6CA5BEA5: __EH_prolog.LIBCMT ref: 6CA5BEAA
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: WZJ
                              • API String ID: 3519838083-1089469559
                              • Opcode ID: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction ID: feff220692b5452ec66175045492411c73c6ed164fa756d9e445efba5dce77fa
                              • Opcode Fuzzy Hash: cff2a95f7f2c9e7e47c21d6c2cae1b51bbda01fa4771d0427a5cf66fef2ba2b2
                              • Instruction Fuzzy Hash: 20818C31D00158DFCF15DFA8DA90ADDBBB5AF18308F148199E506A7B90DB30AE9DCB60
                              Function 6C8D28E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              • ___std_exception_destroy.LIBVCRUNTIME ref: 6C8D2A76
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ___std_exception_destroy
                              • String ID: Jbx$Jbx
                              • API String ID: 4194217158-1161259238
                              • Opcode ID: 410583d0780baf489bfd4ff1f6d2be922c67f0989652fb2cdcf5e9d5a2b8b938
                              • Instruction ID: 06ad946ad7627464e5fe0979619bc023fb9665560aaa623b11b3ada4f7eafcb1
                              • Opcode Fuzzy Hash: 410583d0780baf489bfd4ff1f6d2be922c67f0989652fb2cdcf5e9d5a2b8b938
                              • Instruction Fuzzy Hash: B35139B19002049FCB20CF18D984A9EBBB5FF88308F15896DD8599B741D339ED89CB91
                              Function 6CA62F9C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: <dJ$Q
                              • API String ID: 3519838083-2252229148
                              • Opcode ID: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction ID: 09e94f0b25a4483717b729cfc672e20d39d38edee3d9f2a7a47d5a002adf88aa
                              • Opcode Fuzzy Hash: 8611fd72bf4170e71673488c417c1a53bfaf30d487d7fd955d74d6e9e56554ac
                              • Instruction Fuzzy Hash: C2518C71905219EFCF00DFEAC8908EDB7B1BF48318F14852EE595ABA50D7319ACACB10
                              Function 6CA5E9B9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $D^J
                              • API String ID: 3519838083-3977321784
                              • Opcode ID: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction ID: 5401ea4daa679792a0ad437a2e04340527f53d27ac1bbc242b0530375de30805
                              • Opcode Fuzzy Hash: 592ff2149492c1b5d1f5267e2a791cd36de2b3efa6476b1a9cfe308cba17f1e8
                              • Instruction Fuzzy Hash: 52415865E055B46ED7269F3888507E8BBA2AF0720DF98C158C1A647E81DB7C19EEC3C0
                              Function 6CA205EE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,6CA27DC6), ref: 6CA2070B
                              • __dosmaperr.LIBCMT ref: 6CA20712
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: ErrorLast__dosmaperr
                              • String ID: 8Q
                              • API String ID: 1659562826-4022487301
                              • Opcode ID: b8ddec219fd2d0f6d9fd7cbaffcb50bc7c58785458350d139f64f6fbf21bde32
                              • Instruction ID: c96073c4dd1637982a941f8ecef806ff870a8241d7e1978d472e7473fad6dbc1
                              • Opcode Fuzzy Hash: b8ddec219fd2d0f6d9fd7cbaffcb50bc7c58785458350d139f64f6fbf21bde32
                              • Instruction Fuzzy Hash: EC417B716045E4AFD7118F28C8A0FE97FF5EF86314F1C4259E8848BA41D3B99D95CB90
                              Function 6CA7812C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: X&L$p|J
                              • API String ID: 3519838083-2944591232
                              • Opcode ID: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction ID: 5d8962c6076cdcc0deac07255074e7ea04034c5c2e7ac0091106e47976385ef7
                              • Opcode Fuzzy Hash: 9119c1f64bb26ad996fbea7536e901d29dd4483baa18a121855aa129662547ca
                              • Instruction Fuzzy Hash: 33313839A85915CBD720AB58DE15BA97771FB0132DF240227D520F6EE2CB6089C9CBB4
                              Function 6CA77C24 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0|J$`)L
                              • API String ID: 3519838083-117937767
                              • Opcode ID: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction ID: 7918868e58f0cd493788a3a8d17017e26c2110aa7a506d8c52845550dea8e6bb
                              • Opcode Fuzzy Hash: 924921a2771934cbe07cb1819a4d5bd42f54cfcb7b164b76471555bcaac8b42b
                              • Instruction Fuzzy Hash: 7141B235600751DFCB229F60CAA07FABBE2FF45208F04452EE45ADB711CB356988CBA1
                              Function 6CA7ACB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: __aulldiv
                              • String ID: 3333
                              • API String ID: 3732870572-2924271548
                              • Opcode ID: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction ID: 6075e357d4cde8d86472caa909dc1674714a2abb1f1661131eada25e80a6da2a
                              • Opcode Fuzzy Hash: 0d34d547a1763b1f6cbcb81569cbe66ca114cba913daa42be50c89cb46dd64ee
                              • Instruction Fuzzy Hash: C521A6B49007047ED730CFA98980B5BBAFEFB84715F10892EA146D3B41D770ED888765
                              Function 6CA1815F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-2740779761
                              • Opcode ID: efd9d777008cc2e6bf55a3959c13d9651d1613d4e16bdec3658d7743dd1e2b42
                              • Instruction ID: 654f2e3fb7880a2c9f5bdc0617e9449cda320c67fac30fb179afefa5c334ac57
                              • Opcode Fuzzy Hash: efd9d777008cc2e6bf55a3959c13d9651d1613d4e16bdec3658d7743dd1e2b42
                              • Instruction Fuzzy Hash: E8014833A4E9216ADB1115749E00ADA22657F1377CF1B0716FD24E6ED4DB118DCD4390
                              Function 6CA73906 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$LuJ
                              • API String ID: 3519838083-205571748
                              • Opcode ID: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction ID: 9bec2851c6815984b6f220af8daaf603fba091ef9e7564a2fae6e59da5ed536d
                              • Opcode Fuzzy Hash: aa36ca613ac24c818774a3b50af302aa3ac6c7e5dc6eeb3b6f96232f2efdcf83
                              • Instruction Fuzzy Hash: 0F016172E02209DADB10DFE984A05AEF7B4FF59704F41C42EE5A5E3A41C3349948CBA5
                              Function 6CA4F0AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: @$xMJ
                              • API String ID: 3519838083-951924499
                              • Opcode ID: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction ID: 6c2db0c3d5c37215c4cb466e5a8b98cad82de992edb8ed8a6a9bec16ad417cfb
                              • Opcode Fuzzy Hash: 871999b8a6dfe8dd14063548d73ca1d86140603a6c3ba165e22a59db3157078a
                              • Instruction Fuzzy Hash: 10113C71A01209DBCF00CFA9C99059EB7B4FF58308B90D46ED569E7A40D3349A45CB95
                              Function 6CA21418 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44memoryCOMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 6CA21439
                              • HeapReAlloc.KERNEL32(00000000,?,?,00000004,00000000,?,6CA1DD2A,?,00000004,?,4B42FCB6,?,?,6CA12E7C,4B42FCB6,?), ref: 6CA21475
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1879543351.000000006C881000.00000020.00000001.01000000.00000009.sdmp, Offset: 6C880000, based on PE: true
                              • Associated: 00000005.00000002.1879489274.000000006C880000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1880993633.000000006CA2B000.00000002.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1882437206.000000006CBF7000.00000002.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: AllocHeap_free
                              • String ID: 8Q
                              • API String ID: 1080816511-4022487301
                              • Opcode ID: 57133694b08330ad1ee39525cc8920fedde3e042d82eaab70f332b776a0c74b1
                              • Instruction ID: af643d2846e154e2ca788a24ae7e5d05cb5b040e4e6a9be38aed75ae4da00c96
                              • Opcode Fuzzy Hash: 57133694b08330ad1ee39525cc8920fedde3e042d82eaab70f332b776a0c74b1
                              • Instruction Fuzzy Hash: D4F0C871705131769B211A259C00AAB27789FD2BBCB2D8119EA1E96E80DB2ADCC98191
                              Function 6CA76431 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: |zJ
                              • API String ID: 3037903784-3782439380
                              • Opcode ID: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction ID: 72ab59b5a6176ab1063f903c74508d47b0ce3c7c12e0c5f07becb10129621e14
                              • Opcode Fuzzy Hash: 45f9250e3087bdd449dea7a7c5ec79293aeb189375d795e63a98390aaf881842
                              • Instruction Fuzzy Hash: B5E0E5366015209BE7249B48CA1179DF7A4FF54718F10411F9012E3F40CBB0A8948691
                              Function 6CA6D143 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID: H_prologctype
                              • String ID: <oJ
                              • API String ID: 3037903784-2791053824
                              • Opcode ID: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction ID: 2ea7f3ec01708c657e7f469536865e8be61d46043cd02ee21bedc41225d8eaf2
                              • Opcode Fuzzy Hash: f66cbee60b40af54c04d64295f8ed3aa4e69c018a581ef3e0b0762c85e8ebc26
                              • Instruction Fuzzy Hash: E8E0ED72A01120ABDB04AF89C920BEEF7A9EF44758F21011EA121A3F51CBF1E884C784
                              Function 6CAA24AB Relevance: 5.2, Strings: 4, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: @ K$DJ$T)K$X/K
                              • API String ID: 0-3815299647
                              • Opcode ID: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction ID: 1b43bcf78ff5f6dd40f41bc91a57017f9f947e929a38a766def96ea3475f8f38
                              • Opcode Fuzzy Hash: c2360a40d33ebeca7632374cab2a44736fbf981b028df34ec032509b6de52aa1
                              • Instruction Fuzzy Hash: 659105346053159BCB04DFA6C9687EE73B2AF4130CF144619C86D9BB81CB35AAEEC751
                              Function 6CA97E19 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000005.00000002.1881100371.000000006CA3B000.00000008.00000001.01000000.00000009.sdmp, Offset: 6CA3B000, based on PE: true
                              • Associated: 00000005.00000002.1881702919.000000006CB06000.00000004.00000001.01000000.00000009.sdmpDownload File
                              • Associated: 00000005.00000002.1881730037.000000006CB0C000.00000020.00000001.01000000.00000009.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_5_2_6c880000_#U5b89#U88c5#U7a0b#U5e8f_1.jbxd
                              Similarity
                              • API ID:
                              • String ID: D)K$H)K$P)K$T)K
                              • API String ID: 0-2262112463
                              • Opcode ID: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction ID: 698f56a3fe10ce7c4972ec48b0a416df7c58080a17fb952154d7431dffbc4501
                              • Opcode Fuzzy Hash: 9be5c025380eda7c216aac381ad020450c93343e5c05b53f9846b5bc651498f8
                              • Instruction Fuzzy Hash: 8D51C1319242299BCF00EF94DD52ADEB7F1AF0531CF14451AE81AE7A80DB7599CCCBA4

                              Execution Graph

                              Execution Coverage:4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:0.4%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:35
                              execution_graph 73244 29a42c 73245 29a449 73244->73245 73246 29a435 fputs 73244->73246 73403 29545d 73245->73403 73402 261fa0 fputc 73246->73402 73253 29a4c9 73472 261e40 free 73253->73472 73255 29a4d8 73256 29a4ee 73255->73256 73473 29c7d7 73255->73473 73258 29a50e 73256->73258 73481 2957fb 73256->73481 73491 29c73e 73258->73491 73263 29ac17 73680 292db9 free ctype 73263->73680 73267 29ac23 73269 29ac3a 73267->73269 73271 29ac35 73267->73271 73268 29a54d 73514 262fec 73268->73514 73682 29b96d _CxxThrowException 73269->73682 73681 29b988 33 API calls __aulldiv 73271->73681 73274 29ac42 73683 261e40 free 73274->73683 73277 29ac4d 73684 283247 73277->73684 73279 29a586 73520 29ad06 73279->73520 73284 29ac7d 73691 2611c2 free __EH_prolog ctype 73284->73691 73288 29ac89 73692 29be0c free __EH_prolog ctype 73288->73692 73292 29ac98 73693 292db9 free ctype 73292->73693 73293 262e04 2 API calls 73295 29a636 73293->73295 73538 284345 73295->73538 73296 29aca4 73299 29a676 73544 282096 73299->73544 73302 29a66f 73640 29b96d _CxxThrowException 73302->73640 73305 29c7d7 ctype 6 API calls 73307 29a6e2 73305->73307 73308 29a722 73307->73308 73641 261fa0 fputc 73307->73641 73315 29a6fa fputs 73381 29aae5 73679 292db9 free ctype 73381->73679 73402->73245 73404 295473 73403->73404 73405 295466 73403->73405 73407 262e04 73404->73407 73694 26275e malloc _CxxThrowException free ctype 73405->73694 73408 261e0c ctype 2 API calls 73407->73408 73409 262e11 73408->73409 73410 281858 73409->73410 73411 281862 __EH_prolog 73410->73411 73695 28021a 73411->73695 73416 2818b9 73709 281aa5 free __EH_prolog ctype 73416->73709 73418 281935 73720 281aa5 free __EH_prolog ctype 73418->73720 73419 2818c7 73710 292db9 free ctype 73419->73710 73423 281944 73444 281966 73423->73444 73721 281d73 5 API calls __EH_prolog 73423->73721 73424 2818d3 73424->73253 73427 281958 _CxxThrowException 73427->73444 73428 2819be 73728 28f1f1 malloc _CxxThrowException free _CxxThrowException 73428->73728 73430 262e04 2 API calls 73430->73444 73431 2818db 73431->73418 73711 280144 malloc _CxxThrowException free _CxxThrowException 73431->73711 73712 2a04d2 73431->73712 73718 261524 malloc _CxxThrowException __EH_prolog ctype 73431->73718 73719 261e40 free 73431->73719 73433 2819d6 73729 287ebb 73433->73729 73439 2a04d2 5 API calls 73439->73444 73441 287ebb free 73443 2819f7 73441->73443 73445 2712d4 4 API calls 73443->73445 73444->73428 73444->73430 73444->73439 73722 26631f 73444->73722 73726 261524 malloc _CxxThrowException __EH_prolog ctype 73444->73726 73727 261e40 free 73444->73727 73454 2819ff 73445->73454 73447 281a4f 73742 261e40 free 73447->73742 73449 261524 malloc _CxxThrowException 73449->73454 73450 281a57 73743 292db9 free ctype 73450->73743 73452 281a64 73744 292db9 free ctype 73452->73744 73454->73447 73454->73449 73456 281a83 73454->73456 73741 2642e3 CharUpperW 73454->73741 73745 281d73 5 API calls __EH_prolog 73456->73745 73458 281a97 _CxxThrowException 73459 281aa5 __EH_prolog 73458->73459 73746 261e40 free 73459->73746 73461 281ac8 73747 2802e8 free ctype 73461->73747 73463 281ad1 73748 281eab free __EH_prolog ctype 73463->73748 73465 281add 73749 261e40 free 73465->73749 73467 281ae5 73750 261e40 free 73467->73750 73469 281aed 73751 292db9 free ctype 73469->73751 73471 281afa 73471->73253 73472->73255 73474 29c849 73473->73474 73475 29c7ea 73473->73475 73476 29c85a 73474->73476 74227 261f91 fflush 73474->74227 73477 29c7fe fputs 73475->73477 74226 2625cb malloc _CxxThrowException free _CxxThrowException ctype 73475->74226 73476->73256 73477->73474 73482 295805 __EH_prolog 73481->73482 73483 295847 73482->73483 74228 2626dd 73482->74228 73483->73258 73489 29583f 74248 261e40 free 73489->74248 73492 29c748 __EH_prolog 73491->73492 73493 29c7d7 ctype 6 API calls 73492->73493 73494 29c75d 73493->73494 74287 261e40 free 73494->74287 73496 29c768 74288 282c0b 73496->74288 73500 29c77d 74294 261e40 free 73500->74294 73502 29c785 74295 261e40 free 73502->74295 73504 29c78d 74296 261e40 free 73504->74296 73506 29c795 73507 282c0b ctype free 73506->73507 73508 29a51d 73507->73508 73508->73381 73509 261e0c 73508->73509 73510 261e15 73509->73510 73511 261e1c malloc 73509->73511 73510->73511 73512 261e3e 73511->73512 73513 261e2a _CxxThrowException 73511->73513 73512->73268 73638 29b0fa malloc _CxxThrowException __EH_prolog 73512->73638 73513->73512 73515 262ffc 73514->73515 73516 262ff8 73514->73516 73515->73516 73517 261e0c ctype 2 API calls 73515->73517 73516->73279 73518 263010 73517->73518 74299 261e40 free 73518->74299 74300 29ad29 73520->74300 73523 29bf3e 73524 262fec 3 API calls 73523->73524 73525 29bf85 73524->73525 73526 262fec 3 API calls 73525->73526 73527 29a5ee 73526->73527 73528 273a29 73527->73528 73529 273a3b 73528->73529 73535 273a37 73528->73535 74306 273bd9 free ctype 73529->74306 73531 273a6f 73531->73535 74308 273b76 malloc _CxxThrowException __EH_prolog ctype 73531->74308 73532 273a42 73532->73531 73533 273a67 73532->73533 73534 273a52 _CxxThrowException 73532->73534 74307 2a0551 malloc _CxxThrowException free memcpy ctype 73533->74307 73534->73533 73535->73293 73539 28434f __EH_prolog 73538->73539 73540 262e04 2 API calls 73539->73540 73541 28436d 73540->73541 73542 262e04 2 API calls 73541->73542 73543 284379 73542->73543 73543->73299 73639 28375c 22 API calls 2 library calls 73543->73639 73559 2820a0 __EH_prolog 73544->73559 73545 2821f0 73546 282209 73545->73546 73547 261e0c ctype 2 API calls 73545->73547 73548 261e0c ctype 2 API calls 73546->73548 73547->73546 73550 282235 73548->73550 73549 262e04 2 API calls 73549->73559 73551 282248 73550->73551 74309 274250 73550->74309 74327 282c22 73551->74327 73552 262f1c 2 API calls 73552->73559 73555 266c72 44 API calls 73555->73559 73556 261e40 free ctype 73556->73559 73558 28224c 74505 26757d GetLastError 73558->74505 73559->73545 73559->73549 73559->73552 73559->73555 73559->73556 73559->73558 73560 282251 73559->73560 74504 27089e malloc _CxxThrowException free _CxxThrowException memcpy 73559->74504 74506 282c6c 6 API calls 2 library calls 73560->74506 73564 282277 74507 261e40 free 73564->74507 73567 28227f 74508 261e40 free 73567->74508 73568 282347 74526 261e40 free 73568->74526 73569 282a55 74527 261e40 free 73569->74527 73571 262e04 2 API calls 73588 28232b 73571->73588 73573 282287 74509 261e40 free 73573->74509 73574 28228f 73574->73305 73574->73307 73576 266c72 44 API calls 73576->73588 73577 282969 74523 26757d GetLastError 73577->74523 73579 28296e 74524 282c6c 6 API calls 2 library calls 73579->74524 73581 282836 74514 261e40 free 73581->74514 73588->73568 73588->73571 73588->73576 73588->73577 73588->73581 73589 282855 73588->73589 73593 28289d 73588->73593 73604 283247 free 73588->73604 73607 262f1c 2 API calls 73588->73607 73611 2828e6 73588->73611 73612 261e40 free ctype 73588->73612 73617 262fec malloc _CxxThrowException free 73588->73617 73619 282921 73588->73619 73632 261fa0 fputc 73588->73632 74331 2747dd 73588->74331 74335 296086 73588->74335 74347 282b09 73588->74347 74353 2831d8 73588->74353 74359 282a72 73588->74359 74363 296359 73588->74363 74406 282cdb 73588->74406 74492 282bb5 73588->74492 74510 273e26 30 API calls 2 library calls 73588->74510 74511 266456 9 API calls 2 library calls 73588->74511 74512 26859e malloc _CxxThrowException free _CxxThrowException 73588->74512 74513 28204d CharUpperW 73588->74513 74515 261e40 free 73589->74515 73591 282860 73592 283247 free 73591->73592 74517 261e40 free 73593->74517 73597 2828a8 73604->73588 73607->73588 74519 261e40 free 73611->74519 73612->73588 73616 2828f1 73618 283247 free 73616->73618 73617->73588 74521 261e40 free 73619->74521 73623 28292c 73625 283247 free 73623->73625 73632->73588 73638->73268 73639->73302 73640->73299 73641->73315 73679->73263 73680->73267 73681->73269 73682->73274 73683->73277 73685 28324e 73684->73685 73686 283260 73685->73686 75748 261e40 free 73685->75748 75747 261e40 free 73686->75747 73689 283267 73690 261e40 free 73689->73690 73690->73284 73691->73288 73692->73292 73693->73296 73694->73404 73696 280224 __EH_prolog 73695->73696 73752 273d66 73696->73752 73699 28062e 73705 280638 __EH_prolog 73699->73705 73700 2806de 73839 28019a malloc _CxxThrowException free memcpy 73700->73839 73702 2806e6 73840 281453 26 API calls 2 library calls 73702->73840 73704 2806ee 73704->73416 73704->73431 73705->73700 73705->73704 73706 2801bc malloc _CxxThrowException free _CxxThrowException memcpy 73705->73706 73768 280703 73705->73768 73838 292db9 free ctype 73705->73838 73706->73705 73709->73419 73710->73424 73711->73431 73713 2a04df 73712->73713 73714 2a0513 73712->73714 73715 2a04e8 _CxxThrowException 73713->73715 73716 2a04fd 73713->73716 73714->73431 73715->73716 74172 2a0551 malloc _CxxThrowException free memcpy ctype 73716->74172 73718->73431 73719->73431 73720->73423 73721->73427 73723 269245 73722->73723 74173 2690da 73723->74173 73726->73444 73727->73444 73728->73433 73730 2819e1 73729->73730 73732 287ec6 73729->73732 73733 2712d4 73730->73733 73731 261e40 free ctype 73731->73732 73732->73730 73732->73731 73734 2712e7 73733->73734 73740 271327 73733->73740 73735 271304 73734->73735 73736 2712ef _CxxThrowException 73734->73736 74225 261e40 free 73735->74225 73736->73735 73738 27130b 73739 261e0c ctype 2 API calls 73738->73739 73739->73740 73740->73441 73741->73454 73742->73450 73743->73452 73744->73424 73745->73458 73746->73461 73747->73463 73748->73465 73749->73467 73750->73469 73751->73471 73763 2ffb10 73752->73763 73754 273d70 GetCurrentProcess 73764 273e04 73754->73764 73756 273d8d OpenProcessToken 73757 273de3 73756->73757 73758 273d9e LookupPrivilegeValueW 73756->73758 73759 273e04 CloseHandle 73757->73759 73758->73757 73760 273dc0 AdjustTokenPrivileges 73758->73760 73761 273def 73759->73761 73760->73757 73762 273dd5 GetLastError 73760->73762 73761->73699 73762->73757 73763->73754 73765 273e11 CloseHandle 73764->73765 73766 273e0d 73764->73766 73767 273e21 73765->73767 73766->73756 73767->73756 73836 28070d __EH_prolog 73768->73836 73769 280b40 73769->73705 73770 280e1d 73882 280416 18 API calls 2 library calls 73770->73882 73772 280ea6 73884 2aec78 free ctype 73772->73884 73773 280d11 73873 267496 7 API calls 2 library calls 73773->73873 73776 280c13 73870 261e40 free 73776->73870 73777 280c83 73777->73770 73777->73773 73781 280de0 73878 292db9 free ctype 73781->73878 73782 262da9 2 API calls 73819 280ab5 73782->73819 73783 280e47 73783->73772 73883 28117d 68 API calls 2 library calls 73783->73883 73787 280df8 73880 261e40 free 73787->73880 73788 262e04 2 API calls 73788->73836 73789 262e04 2 API calls 73789->73819 73792 280e02 73881 292db9 free ctype 73792->73881 73795 262e04 2 API calls 73812 280d29 73795->73812 73796 262fec 3 API calls 73796->73836 73800 262fec 3 API calls 73800->73812 73801 262fec 3 API calls 73801->73819 73805 28050b 44 API calls 73805->73819 73807 280df3 73879 261e40 free 73807->73879 73808 280b26 73862 261e40 free 73808->73862 73810 261e40 free ctype 73810->73812 73812->73781 73812->73787 73812->73795 73812->73800 73812->73807 73812->73810 73874 262f1c 73812->73874 73877 28117d 68 API calls 2 library calls 73812->73877 73814 280c79 73872 261e40 free 73814->73872 73815 280b30 73863 261e40 free 73815->73863 73819->73776 73819->73782 73819->73789 73819->73801 73819->73805 73819->73814 73822 261e40 free ctype 73819->73822 73861 262f4a malloc _CxxThrowException free ctype 73819->73861 73866 261089 malloc _CxxThrowException free _CxxThrowException 73819->73866 73867 2813eb 5 API calls 2 library calls 73819->73867 73868 280ef4 68 API calls 2 library calls 73819->73868 73869 292db9 free ctype 73819->73869 73871 280021 GetLastError 73819->73871 73820 280b38 73864 261e40 free 73820->73864 73822->73819 73830 280b48 73865 292db9 free ctype 73830->73865 73831 2a04d2 malloc _CxxThrowException free _CxxThrowException memcpy 73831->73836 73833 261e40 free ctype 73833->73836 73834 261524 malloc _CxxThrowException 73834->73836 73836->73769 73836->73777 73836->73788 73836->73796 73836->73808 73836->73819 73836->73830 73836->73831 73836->73833 73836->73834 73837 292db9 free ctype 73836->73837 73841 262da9 73836->73841 73844 262f4a malloc _CxxThrowException free ctype 73836->73844 73845 261089 malloc _CxxThrowException free _CxxThrowException 73836->73845 73846 2813eb 5 API calls 2 library calls 73836->73846 73847 28050b 73836->73847 73852 280021 GetLastError 73836->73852 73853 2649bd 9 API calls 2 library calls 73836->73853 73854 280306 12 API calls 73836->73854 73855 27ff00 5 API calls 2 library calls 73836->73855 73856 28057d 16 API calls 2 library calls 73836->73856 73857 280f8e 24 API calls 2 library calls 73836->73857 73858 26472e CharUpperW 73836->73858 73859 278984 malloc _CxxThrowException free _CxxThrowException memcpy 73836->73859 73860 280ef4 68 API calls 2 library calls 73836->73860 73837->73836 73838->73705 73839->73702 73840->73704 73885 262d4d 73841->73885 73844->73836 73845->73836 73846->73836 73891 266c72 73847->73891 73850 280575 73850->73836 73852->73836 73853->73836 73854->73836 73855->73836 73856->73836 73857->73836 73858->73836 73859->73836 73860->73836 73861->73819 73862->73815 73863->73820 73864->73769 73865->73808 73866->73819 73867->73819 73868->73819 73869->73819 73870->73769 73871->73819 73872->73777 73873->73812 73875 262ba6 2 API calls 73874->73875 73876 262f2c 73875->73876 73876->73812 73877->73812 73878->73769 73879->73787 73880->73792 73881->73769 73882->73783 73883->73783 73884->73769 73888 262ba6 73885->73888 73889 261e0c ctype 2 API calls 73888->73889 73890 262bbb 73889->73890 73890->73836 73893 266c7c __EH_prolog 73891->73893 73892 266cd3 73895 266ce2 73892->73895 73898 266d87 73892->73898 73893->73892 73894 266cb7 73893->73894 73896 262f88 3 API calls 73894->73896 73897 262f88 3 API calls 73895->73897 73899 266cc7 73896->73899 73902 266cf5 73897->73902 73907 266f4a 73898->73907 74019 262e47 73898->74019 73899->73850 73992 262f88 73899->73992 73903 266d4a 73902->73903 73905 266d0b 73902->73905 74015 267b41 28 API calls 73903->74015 73904 262e47 2 API calls 73913 266dc0 73904->73913 74014 269252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 73905->74014 73908 266fd1 73907->73908 73911 266f7e 73907->73911 73914 2670e5 73908->73914 73916 266fed 73908->73916 73934 26701d 73908->73934 73910 266d5f 74016 26764c 73910->74016 74037 266bf5 11 API calls 2 library calls 73911->74037 73912 266d36 73912->73903 73918 266d3a 73912->73918 73926 266dfe 73913->73926 74023 263221 malloc _CxxThrowException free _CxxThrowException 73913->74023 73998 266868 73914->73998 74039 266bf5 11 API calls 2 library calls 73916->74039 73918->73899 73921 266f85 73921->73914 73923 266f99 73921->73923 73933 262f88 3 API calls 73923->73933 73924 266fca 73930 266848 FindClose 73924->73930 73925 266e43 73929 266c72 42 API calls 73925->73929 73926->73925 73940 266e1e 73926->73940 73927 267006 73927->73924 73932 266e4e 73929->73932 73930->73899 73935 266e41 73932->73935 73936 266f3a 73932->73936 73937 266fb0 73933->73937 73934->73914 74040 26717b 13 API calls 73934->74040 73942 262f1c 2 API calls 73935->73942 74035 261e40 free 73936->74035 74038 26717b 13 API calls 73937->74038 73940->73935 73944 262fec 3 API calls 73940->73944 73941 267052 73946 267056 73941->73946 73947 267064 73941->73947 73948 266e77 73942->73948 73943 266f42 74036 261e40 free 73943->74036 73944->73935 73950 262f88 3 API calls 73946->73950 73952 262e47 2 API calls 73947->73952 73951 262e04 2 API calls 73948->73951 73988 26705f 73950->73988 73958 266e83 73951->73958 73953 26706d 73952->73953 74041 261089 malloc _CxxThrowException free _CxxThrowException 73953->74041 73956 266848 FindClose 73956->73899 73957 26707b 74042 261089 malloc _CxxThrowException free _CxxThrowException 73957->74042 73960 266ec7 SetLastError 73958->73960 73974 266ed3 73958->73974 73979 262e04 2 API calls 73958->73979 73980 266ecf 73958->73980 74024 266bb5 17 API calls 73958->74024 74025 2622bf CharUpperW 73958->74025 74026 261e40 free 73958->74026 73960->73980 73961 267085 73964 266868 12 API calls 73961->73964 73965 267095 73964->73965 73967 267099 wcscmp 73965->73967 73972 2670bb 73965->73972 73966 266f11 74029 261e40 free 73966->74029 73971 2670b1 73967->73971 73967->73972 73969 266f19 74030 266848 73969->74030 73981 262f88 3 API calls 73971->73981 74043 266bf5 11 API calls 2 library calls 73972->74043 74027 2631e5 malloc _CxxThrowException free _CxxThrowException 73974->74027 73976 2670c6 73984 2670d8 73976->73984 73991 267129 73976->73991 73979->73958 74028 261e40 free 73980->74028 73982 26714c 73981->73982 74046 261e40 free 73982->74046 74044 261e40 free 73984->74044 73986 266f2b 74034 261e40 free 73986->74034 73988->73956 73990 266ff2 73990->73914 73990->73927 73991->73971 73993 262f9a 73992->73993 73994 262fbe 73993->73994 73995 261e0c ctype 2 API calls 73993->73995 73994->73850 73996 262fb4 73995->73996 74171 261e40 free 73996->74171 73999 266872 __EH_prolog 73998->73999 74000 266848 FindClose 73999->74000 74002 266880 74000->74002 74001 2668f6 74001->73924 74045 26717b 13 API calls 74001->74045 74002->74001 74003 26689b FindFirstFileW 74002->74003 74004 2668a9 74002->74004 74003->74004 74005 2668ee 74004->74005 74007 262e04 2 API calls 74004->74007 74005->74001 74053 266919 malloc _CxxThrowException free 74005->74053 74008 2668ba 74007->74008 74047 268b4a 74008->74047 74010 2668d0 74011 2668d4 FindFirstFileW 74010->74011 74012 2668e2 74010->74012 74011->74012 74052 261e40 free 74012->74052 74014->73912 74015->73910 74017 267656 CloseHandle 74016->74017 74018 267661 74016->74018 74017->74018 74018->73899 74020 262e57 74019->74020 74021 262ba6 2 API calls 74020->74021 74022 262e6a 74021->74022 74022->73904 74023->73926 74024->73958 74025->73958 74026->73958 74027->73980 74028->73966 74029->73969 74031 266852 FindClose 74030->74031 74032 26685d 74030->74032 74031->74032 74033 261e40 free 74032->74033 74033->73986 74034->73899 74035->73943 74036->73907 74037->73921 74038->73924 74039->73990 74040->73941 74041->73957 74042->73961 74043->73976 74044->73990 74045->73924 74046->73988 74054 268b80 74047->74054 74049 268b6e 74049->74010 74051 262f88 3 API calls 74051->74049 74052->74005 74053->74001 74056 268b8a __EH_prolog 74054->74056 74055 268b55 74055->74049 74055->74051 74056->74055 74057 268c7b 74056->74057 74063 268be1 74056->74063 74058 268d23 74057->74058 74059 268c8f 74057->74059 74060 268e8a 74058->74060 74062 268d3b 74058->74062 74059->74062 74066 268c9e 74059->74066 74061 262e47 2 API calls 74060->74061 74064 268e96 74061->74064 74065 262e04 2 API calls 74062->74065 74063->74055 74067 262e47 2 API calls 74063->74067 74072 262e47 2 API calls 74064->74072 74068 268d43 74065->74068 74069 262e47 2 API calls 74066->74069 74070 268c05 74067->74070 74151 266332 6 API calls 2 library calls 74068->74151 74082 268ca7 74069->74082 74077 268c17 74070->74077 74078 268c24 74070->74078 74075 268eb8 74072->74075 74073 268d52 74074 268d56 74073->74074 74152 26859e malloc _CxxThrowException free _CxxThrowException 74073->74152 74162 261e40 free 74074->74162 74163 268f57 memmove 74075->74163 74141 261e40 free 74077->74141 74080 262e47 2 API calls 74078->74080 74087 268c35 74080->74087 74088 262e47 2 API calls 74082->74088 74084 268ec4 74085 268ede 74084->74085 74086 268ec8 74084->74086 74166 263221 malloc _CxxThrowException free _CxxThrowException 74085->74166 74164 261e40 free 74086->74164 74142 268f57 memmove 74087->74142 74092 268cd0 74088->74092 74146 268f57 memmove 74092->74146 74093 268ed0 74165 261e40 free 74093->74165 74094 268c41 74098 268c6b 74094->74098 74143 2631e5 malloc _CxxThrowException free _CxxThrowException 74094->74143 74095 268eeb 74167 2631e5 malloc _CxxThrowException free _CxxThrowException 74095->74167 74145 261e40 free 74098->74145 74099 268cdc 74102 268d13 74099->74102 74147 263221 malloc _CxxThrowException free _CxxThrowException 74099->74147 74150 261e40 free 74102->74150 74105 268f06 74168 2631e5 malloc _CxxThrowException free _CxxThrowException 74105->74168 74106 268c73 74170 261e40 free 74106->74170 74108 268ced 74148 2631e5 malloc _CxxThrowException free _CxxThrowException 74108->74148 74109 262e04 2 API calls 74113 268ddf 74109->74113 74110 268c60 74144 2631e5 malloc _CxxThrowException free _CxxThrowException 74110->74144 74117 268e0e 74113->74117 74122 268df1 74113->74122 74115 268f11 74169 261e40 free 74115->74169 74119 262f88 3 API calls 74117->74119 74123 268e0c 74119->74123 74120 268d08 74149 2631e5 malloc _CxxThrowException free _CxxThrowException 74120->74149 74121 268d65 74121->74074 74121->74109 74153 263199 malloc _CxxThrowException free _CxxThrowException 74122->74153 74155 268f57 memmove 74123->74155 74127 268e03 74154 263199 malloc _CxxThrowException free _CxxThrowException 74127->74154 74128 268e22 74130 268e26 74128->74130 74131 268e3b 74128->74131 74156 263221 malloc _CxxThrowException free _CxxThrowException 74128->74156 74161 261e40 free 74130->74161 74157 268f34 malloc _CxxThrowException 74131->74157 74135 268e49 74158 2631e5 malloc _CxxThrowException free _CxxThrowException 74135->74158 74137 268e56 74159 261e40 free 74137->74159 74139 268e62 74160 2631e5 malloc _CxxThrowException free _CxxThrowException 74139->74160 74141->74055 74142->74094 74143->74110 74144->74098 74145->74106 74146->74099 74147->74108 74148->74120 74149->74102 74150->74106 74151->74073 74152->74121 74153->74127 74154->74123 74155->74128 74156->74131 74157->74135 74158->74137 74159->74139 74160->74130 74161->74074 74162->74055 74163->74084 74164->74093 74165->74055 74166->74095 74167->74105 74168->74115 74169->74106 74170->74055 74171->73994 74172->73714 74174 2690e4 __EH_prolog 74173->74174 74175 262f88 3 API calls 74174->74175 74176 2690f7 74175->74176 74177 26915d 74176->74177 74184 269109 74176->74184 74178 262e04 2 API calls 74177->74178 74179 269165 74178->74179 74180 2691be 74179->74180 74181 269174 74179->74181 74219 266332 6 API calls 2 library calls 74180->74219 74186 262f88 3 API calls 74181->74186 74183 269155 74183->73444 74184->74183 74185 262e47 2 API calls 74184->74185 74188 269122 74185->74188 74187 26917d 74186->74187 74211 2691ca 74187->74211 74217 26859e malloc _CxxThrowException free _CxxThrowException 74187->74217 74214 268f57 memmove 74188->74214 74191 26912e 74194 26914d 74191->74194 74215 2631e5 malloc _CxxThrowException free _CxxThrowException 74191->74215 74193 269185 74197 262e04 2 API calls 74193->74197 74216 261e40 free 74194->74216 74198 269197 74197->74198 74199 2691ce 74198->74199 74200 26919f 74198->74200 74201 262f88 3 API calls 74199->74201 74202 2691b9 74200->74202 74218 261089 malloc _CxxThrowException free _CxxThrowException 74200->74218 74201->74202 74220 263199 malloc _CxxThrowException free _CxxThrowException 74202->74220 74205 2691e6 74221 268f57 memmove 74205->74221 74207 2691ee 74208 2691f2 74207->74208 74210 262fec 3 API calls 74207->74210 74223 261e40 free 74208->74223 74212 269212 74210->74212 74224 261e40 free 74211->74224 74222 2631e5 malloc _CxxThrowException free _CxxThrowException 74212->74222 74214->74191 74215->74194 74216->74183 74217->74193 74218->74202 74219->74187 74220->74205 74221->74207 74222->74208 74223->74211 74224->74183 74225->73738 74226->73477 74227->73476 74229 261e0c ctype 2 API calls 74228->74229 74230 2626ea 74229->74230 74231 295678 74230->74231 74232 2956b1 74231->74232 74233 295689 74231->74233 74249 295593 74232->74249 74235 295593 6 API calls 74233->74235 74237 2956a5 74235->74237 74263 2628a1 74237->74263 74241 29570e fputs 74247 261fa0 fputc 74241->74247 74243 2956ef 74244 295593 6 API calls 74243->74244 74245 295701 74244->74245 74246 295711 6 API calls 74245->74246 74246->74241 74247->73489 74248->73483 74250 2955ad 74249->74250 74251 2628a1 5 API calls 74250->74251 74252 2955b8 74251->74252 74268 26286d 74252->74268 74255 2628a1 5 API calls 74256 2955c7 74255->74256 74257 295711 74256->74257 74258 2956e0 74257->74258 74259 295721 74257->74259 74258->74241 74267 262881 malloc _CxxThrowException free memcpy _CxxThrowException 74258->74267 74260 2628a1 5 API calls 74259->74260 74261 29572b 74260->74261 74276 2955cd 6 API calls 74261->74276 74264 2628b0 74263->74264 74277 26267f 74264->74277 74266 2628bf 74266->74232 74267->74243 74271 261e9d 74268->74271 74272 261ead 74271->74272 74273 261ea8 74271->74273 74272->74255 74275 26263c malloc _CxxThrowException free memcpy _CxxThrowException 74273->74275 74275->74272 74276->74258 74278 2626c2 74277->74278 74279 262693 74277->74279 74278->74266 74280 2626c8 _CxxThrowException 74279->74280 74281 2626bc 74279->74281 74282 2626dd 74280->74282 74286 262595 malloc _CxxThrowException free memcpy ctype 74281->74286 74284 261e0c ctype 2 API calls 74282->74284 74285 2626ea 74284->74285 74285->74266 74286->74278 74287->73496 74297 261e40 free 74288->74297 74290 282c16 74298 261e40 free 74290->74298 74292 282c1e 74293 261e40 free 74292->74293 74293->73500 74294->73502 74295->73504 74296->73506 74297->74290 74298->74292 74299->73516 74301 29ad33 __EH_prolog 74300->74301 74302 262e04 2 API calls 74301->74302 74303 29ad5f 74302->74303 74304 262e04 2 API calls 74303->74304 74305 29a5d8 74304->74305 74305->73523 74306->73532 74307->73531 74308->73531 74310 27425a __EH_prolog 74309->74310 74311 262e04 2 API calls 74310->74311 74312 2742c4 74311->74312 74313 262e04 2 API calls 74312->74313 74314 2742d0 74313->74314 74528 27440b 74314->74528 74328 282c2e 74327->74328 74329 282c35 74327->74329 74330 261e0c ctype 2 API calls 74328->74330 74329->73588 74330->74329 74332 2747ee 74331->74332 74333 2747f4 74331->74333 74539 261e40 free 74332->74539 74333->73588 74336 296092 74335->74336 74337 29612c 74336->74337 74540 295d3c 74336->74540 74337->73588 74348 282b13 __EH_prolog 74347->74348 74349 262e04 2 API calls 74348->74349 74350 282b48 74349->74350 74355 2831e2 __EH_prolog 74353->74355 74354 283234 74354->73588 74355->74354 74356 261e0c ctype 2 API calls 74355->74356 74357 283216 74356->74357 74357->74354 74360 282a82 74359->74360 74361 262e04 2 API calls 74360->74361 74364 296363 __EH_prolog 74363->74364 74365 29637f 74364->74365 74367 29c7d7 ctype 6 API calls 74364->74367 74367->74365 74407 282ce5 __EH_prolog 74406->74407 74408 262f1c 2 API calls 74407->74408 74409 282d35 74408->74409 74493 282bbf __EH_prolog 74492->74493 75714 28d24e 74493->75714 74504->73559 74505->73560 74506->73564 74507->73567 74508->73573 74509->73574 74510->73588 74511->73588 74512->73588 74513->73588 74514->73568 74515->73591 74517->73597 74519->73616 74521->73623 74523->73579 74526->73569 74527->73574 74529 274415 __EH_prolog 74528->74529 74539->74333 74541 295d58 74540->74541 74542 295d46 74540->74542 74542->74541 75715 28d259 75714->75715 75747->73689 75748->73685 75749 267b20 75752 267ab2 75749->75752 75753 267ac5 75752->75753 75760 26759a 75753->75760 75756 267b03 75774 267919 75756->75774 75757 267aeb SetFileTime 75757->75756 75761 2675a4 __EH_prolog 75760->75761 75762 26764c CloseHandle 75761->75762 75763 2675af 75762->75763 75764 2675d4 CreateFileW 75763->75764 75765 2675e9 75763->75765 75773 267632 75763->75773 75764->75765 75766 262e04 2 API calls 75765->75766 75765->75773 75767 2675fb 75766->75767 75768 268b4a 9 API calls 75767->75768 75769 267611 75768->75769 75770 267615 CreateFileW 75769->75770 75771 26762a 75769->75771 75770->75771 75790 261e40 free 75771->75790 75773->75756 75773->75757 75775 267aac 75774->75775 75776 26793c 75774->75776 75776->75775 75777 267945 DeviceIoControl 75776->75777 75778 2679e6 75777->75778 75779 267969 75777->75779 75780 2679ef DeviceIoControl 75778->75780 75783 267a14 75778->75783 75779->75778 75785 2679a7 75779->75785 75781 267a22 DeviceIoControl 75780->75781 75780->75783 75782 267a44 DeviceIoControl 75781->75782 75781->75783 75782->75783 75783->75775 75792 26780d 8 API calls ctype 75783->75792 75791 269252 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 75785->75791 75786 267aa5 75788 2677de 5 API calls 75786->75788 75788->75775 75789 2679d0 75789->75778 75790->75773 75791->75789 75792->75786 75793 2abf67 75794 2abf85 75793->75794 75795 2abf74 75793->75795 75795->75794 75799 2abf8c 75795->75799 75800 2abf96 __EH_prolog 75799->75800 75816 2ad144 75800->75816 75804 2abfd0 75823 261e40 free 75804->75823 75806 2abfdb 75824 261e40 free 75806->75824 75808 2abfe6 75825 2ac072 free ctype 75808->75825 75810 2abff4 75826 27aafa free VariantClear ctype 75810->75826 75812 2ac023 75827 2873d2 free VariantClear __EH_prolog ctype 75812->75827 75814 2abf7f 75815 261e40 free 75814->75815 75815->75794 75818 2ad14e __EH_prolog 75816->75818 75828 2ad1b7 75818->75828 75821 2abfc5 75822 261e40 free 75821->75822 75822->75804 75823->75806 75824->75808 75825->75810 75826->75812 75827->75814 75836 2ad23c 75828->75836 75830 2ad1ed 75843 261e40 free 75830->75843 75832 2ad209 75844 261e40 free 75832->75844 75834 2ad180 75835 2a8e04 memset 75834->75835 75835->75821 75845 2ad2b8 75836->75845 75841 2ad25e 75862 261e40 free 75841->75862 75842 2ad275 75842->75830 75843->75832 75844->75834 75864 261e40 free 75845->75864 75847 2ad2c8 75865 261e40 free 75847->75865 75849 2ad2dc 75866 261e40 free 75849->75866 75851 2ad2e7 75867 261e40 free 75851->75867 75853 2ad2f2 75868 261e40 free 75853->75868 75855 2ad2fd 75869 261e40 free 75855->75869 75857 2ad308 75870 261e40 free 75857->75870 75859 2ad313 75860 2ad246 75859->75860 75871 261e40 free 75859->75871 75860->75841 75863 261e40 free 75860->75863 75862->75842 75863->75841 75864->75847 75865->75849 75866->75851 75867->75853 75868->75855 75869->75857 75870->75859 75871->75860 75872 2e6ba3 VirtualFree 75873 29c2e6 75874 29c52f 75873->75874 75877 29544f SetConsoleCtrlHandler 75874->75877 75876 29c53b 75877->75876 75878 271368 75881 27136d 75878->75881 75880 27138c 75881->75880 75884 2f7d80 WaitForSingleObject 75881->75884 75887 29f745 75881->75887 75891 2f7ea0 SetEvent GetLastError 75881->75891 75885 2f7d8e GetLastError 75884->75885 75886 2f7d98 75884->75886 75885->75886 75886->75881 75888 29f74f __EH_prolog 75887->75888 75892 29f784 75888->75892 75890 29f765 75890->75881 75891->75881 75893 29f78e __EH_prolog 75892->75893 75894 2712d4 4 API calls 75893->75894 75895 29f7c7 75894->75895 75896 2712d4 4 API calls 75895->75896 75897 29f7d4 75896->75897 75898 29f871 75897->75898 75901 26c4d6 75897->75901 75907 2e6b23 VirtualAlloc 75897->75907 75898->75890 75905 26c4e9 75901->75905 75902 26c6f3 75902->75898 75905->75902 75906 26c695 memmove 75905->75906 75908 27111c 75905->75908 75913 2711b4 75905->75913 75906->75905 75907->75898 75909 271130 75908->75909 75910 27115f 75909->75910 75918 26d331 75909->75918 75922 26b668 75909->75922 75910->75905 75914 2711c1 75913->75914 75915 2711eb 75914->75915 75949 2aaf27 75914->75949 75956 2aae7c 75914->75956 75915->75905 75920 26d355 75918->75920 75919 26d374 75919->75909 75920->75919 75921 26b668 10 API calls 75920->75921 75921->75919 75926 26b675 75922->75926 75925 26b8aa GetLastError 75931 26b6aa 75925->75931 75927 267731 5 API calls 75926->75927 75928 26b7e7 75926->75928 75929 26b81b 75926->75929 75926->75931 75932 26b811 75926->75932 75934 26b7ad 75926->75934 75939 26b864 75926->75939 75946 267b4f ReadFile 75926->75946 75927->75926 75933 267731 5 API calls 75928->75933 75928->75939 75930 26b839 memcpy 75929->75930 75929->75931 75930->75931 75931->75909 75947 26b8ec GetLastError 75932->75947 75936 26b80d 75933->75936 75934->75926 75940 26b8c7 75934->75940 75945 2e6a20 VirtualAlloc 75934->75945 75936->75932 75936->75939 75941 267b7c 75939->75941 75940->75931 75942 267b89 75941->75942 75948 267b4f ReadFile 75942->75948 75944 267b9a 75944->75925 75944->75931 75945->75934 75946->75926 75947->75931 75948->75944 75950 2aaf36 75949->75950 75951 2aad3a 99 API calls 75950->75951 75952 2ab010 75950->75952 75954 2aaeeb 107 API calls 75950->75954 75961 26bd0c 75950->75961 75966 2aaebf 107 API calls 75950->75966 75951->75950 75952->75914 75954->75950 75957 2aae86 75956->75957 75960 277140 7 API calls 75957->75960 75975 277190 75957->75975 75958 2aaebb 75958->75914 75960->75958 75967 267ca2 75961->75967 75964 26bd3d 75964->75950 75966->75950 75969 267caf 75967->75969 75970 267cdb 75969->75970 75972 267c68 75969->75972 75970->75964 75971 26b8ec GetLastError 75970->75971 75971->75964 75973 267c76 75972->75973 75974 267c79 WriteFile 75972->75974 75973->75974 75974->75969 75976 27719a __EH_prolog 75975->75976 75977 2771b0 75976->75977 75978 2771dd 75976->75978 75979 274d78 VariantClear 75977->75979 75988 276fc5 75978->75988 75981 2771b7 75979->75981 75981->75958 75982 2772b4 75983 274d78 VariantClear 75982->75983 75984 2772c0 75982->75984 75983->75984 75984->75981 75985 277140 7 API calls 75984->75985 75985->75981 75986 2772a3 SetFileSecurityW 75986->75982 75987 277236 75987->75981 75987->75982 75987->75986 75989 276fcf __EH_prolog 75988->75989 75990 2744a6 2 API calls 75989->75990 75992 276fec 75990->75992 75996 277029 75992->75996 76004 27706a 75992->76004 76032 276e71 12 API calls 2 library calls 75992->76032 75994 27709e 76038 261e40 free 75994->76038 75996->76004 76033 274dff 7 API calls 2 library calls 75996->76033 75997 277051 76000 2711b4 107 API calls 75997->76000 75997->76004 76000->76004 76001 27712e 76001->75987 76002 2770c0 76034 266096 15 API calls 2 library calls 76002->76034 76014 2768ac 76004->76014 76005 2770d1 76006 2770e2 76005->76006 76035 274dff 7 API calls 2 library calls 76005->76035 76011 2770e6 76006->76011 76036 276b5e 69 API calls 2 library calls 76006->76036 76009 2770fd 76010 277103 76009->76010 76009->76011 76037 261e40 free 76010->76037 76011->75994 76013 27710b 76013->76001 76015 2768b6 __EH_prolog 76014->76015 76017 276921 76015->76017 76018 267d4b 6 API calls 76015->76018 76029 2768c5 76015->76029 76016 276962 76019 276998 76016->76019 76042 262dcd malloc _CxxThrowException 76016->76042 76017->76016 76017->76019 76041 276a17 6 API calls 2 library calls 76017->76041 76023 276906 76018->76023 76020 2769e1 76019->76020 76039 267c3b SetFileTime 76019->76039 76045 26bcf8 CloseHandle 76020->76045 76023->76017 76040 274dff 7 API calls 2 library calls 76023->76040 76026 27697a 76043 276b09 13 API calls __EH_prolog 76026->76043 76029->75994 76029->76002 76030 27698c 76044 261e40 free 76030->76044 76032->75996 76033->75997 76034->76005 76035->76006 76036->76009 76037->76013 76038->76001 76039->76020 76040->76017 76041->76016 76042->76026 76043->76030 76044->76019 76045->76029 76046 2f7da0 WaitForSingleObject 76047 2f7dbb GetLastError 76046->76047 76048 2f7dc1 76046->76048 76047->76048 76049 2f7dce CloseHandle 76048->76049 76051 2f7ddf 76048->76051 76050 2f7dd9 GetLastError 76049->76050 76049->76051 76050->76051 76052 28cefb 76053 28d0cc 76052->76053 76054 28cf03 76052->76054 76054->76053 76099 28cae9 VariantClear 76054->76099 76056 28cf59 76056->76053 76100 28cae9 VariantClear 76056->76100 76058 28cf71 76058->76053 76101 28cae9 VariantClear 76058->76101 76060 28cf87 76060->76053 76102 28cae9 VariantClear 76060->76102 76062 28cf9d 76062->76053 76103 28cae9 VariantClear 76062->76103 76064 28cfb3 76064->76053 76104 28cae9 VariantClear 76064->76104 76066 28cfc9 76066->76053 76105 264504 malloc _CxxThrowException 76066->76105 76068 28cfdc 76069 262e04 2 API calls 76068->76069 76071 28cfe7 76069->76071 76070 28d009 76073 28d080 76070->76073 76074 28d030 76070->76074 76093 28d07b 76070->76093 76071->76070 76072 262f88 3 API calls 76071->76072 76072->76070 76110 287a0c CharUpperW 76073->76110 76077 262e04 2 API calls 76074->76077 76080 28d038 76077->76080 76078 28d0c4 76114 261e40 free 76078->76114 76079 28d08b 76111 27fdbc 4 API calls 2 library calls 76079->76111 76082 262e04 2 API calls 76080->76082 76084 28d046 76082->76084 76106 27fdbc 4 API calls 2 library calls 76084->76106 76085 28d0a7 76087 262fec 3 API calls 76085->76087 76089 28d0b3 76087->76089 76088 28d057 76090 262fec 3 API calls 76088->76090 76112 261e40 free 76089->76112 76092 28d063 76090->76092 76107 261e40 free 76092->76107 76113 261e40 free 76093->76113 76095 28d06b 76108 261e40 free 76095->76108 76097 28d073 76109 261e40 free 76097->76109 76099->76056 76100->76058 76101->76060 76102->76062 76103->76064 76104->76066 76105->76068 76106->76088 76107->76095 76108->76097 76109->76093 76110->76079 76111->76085 76112->76093 76113->76078 76114->76053 76115 29993d 76199 29b5b1 76115->76199 76118 299963 76205 271f33 76118->76205 76119 261fb3 11 API calls 76119->76118 76121 299975 76122 2999ce 76121->76122 76123 2999b7 GetStdHandle GetConsoleScreenBufferInfo 76121->76123 76124 261e0c ctype 2 API calls 76122->76124 76123->76122 76125 2999dc 76124->76125 76326 287b48 76125->76326 76127 299a29 76343 29b96d _CxxThrowException 76127->76343 76129 299a30 76344 287018 8 API calls 2 library calls 76129->76344 76131 299a7c 76345 28ddb5 6 API calls 2 library calls 76131->76345 76132 299a66 _CxxThrowException 76132->76131 76134 299aa6 76136 299aaa _CxxThrowException 76134->76136 76145 299ac0 76134->76145 76135 299a37 76135->76131 76135->76132 76136->76145 76137 299b3a 76349 261fa0 fputc 76137->76349 76139 299bfa _CxxThrowException 76163 299be6 76139->76163 76141 299b63 fputs 76350 261fa0 fputc 76141->76350 76144 299b79 strlen strlen 76146 299baa fputs fputc 76144->76146 76147 299e25 76144->76147 76145->76137 76145->76139 76346 287dd7 7 API calls 2 library calls 76145->76346 76347 29c077 6 API calls 76145->76347 76348 261e40 free 76145->76348 76146->76163 76358 261fa0 fputc 76147->76358 76150 299e2c fputs 76359 261fa0 fputc 76150->76359 76152 299f0c 76364 261fa0 fputc 76152->76364 76155 299f13 fputs 76365 261fa0 fputc 76155->76365 76157 29b67d 12 API calls 76157->76163 76160 299e42 76160->76152 76193 299ee0 fputs 76160->76193 76360 29b650 fputc fputs fputs fputc 76160->76360 76361 2621d8 fputs 76160->76361 76362 29bde4 fputc fputs 76160->76362 76161 29ac3a 76371 29b96d _CxxThrowException 76161->76371 76162 262e04 2 API calls 76162->76163 76163->76146 76163->76147 76163->76157 76163->76162 76176 299d2a fputs 76163->76176 76182 299d5f fputs 76163->76182 76183 2631e5 malloc _CxxThrowException free _CxxThrowException 76163->76183 76351 2621d8 fputs 76163->76351 76352 26315e malloc _CxxThrowException free _CxxThrowException 76163->76352 76353 263221 malloc _CxxThrowException free _CxxThrowException 76163->76353 76354 261089 malloc _CxxThrowException free _CxxThrowException 76163->76354 76356 261fa0 fputc 76163->76356 76357 261e40 free 76163->76357 76165 29ac35 76370 29b988 33 API calls __aulldiv 76165->76370 76167 299f29 76186 299f77 fputs 76167->76186 76194 299f9f 76167->76194 76366 29b650 fputc fputs fputs fputc 76167->76366 76367 29b5e9 fputc fputs 76167->76367 76368 29bde4 fputc fputs 76167->76368 76169 29ac42 76372 261e40 free 76169->76372 76173 29ac4d 76174 283247 free 76173->76174 76175 29ac5d 76174->76175 76373 261e40 free 76175->76373 76355 2621d8 fputs 76176->76355 76181 29ac7d 76374 2611c2 free __EH_prolog ctype 76181->76374 76182->76163 76183->76163 76369 261fa0 fputc 76186->76369 76190 29ac89 76375 29be0c free __EH_prolog ctype 76190->76375 76363 261fa0 fputc 76193->76363 76194->76161 76194->76165 76195 29ac98 76376 292db9 free ctype 76195->76376 76198 29aca4 76200 29b5bc fputs 76199->76200 76201 29994a 76199->76201 76377 261fa0 fputc 76200->76377 76201->76118 76201->76119 76203 29b5d5 76203->76201 76204 29b5d9 fputs 76203->76204 76204->76201 76206 271f4f 76205->76206 76207 271f6c 76205->76207 76410 281d73 5 API calls __EH_prolog 76206->76410 76378 2729eb 76207->76378 76210 271f5e _CxxThrowException 76210->76207 76212 271fa3 76213 271fbc 76212->76213 76215 264fc0 5 API calls 76212->76215 76216 271fda 76213->76216 76218 262fec 3 API calls 76213->76218 76215->76213 76219 272022 wcscmp 76216->76219 76229 272036 76216->76229 76217 271f95 _CxxThrowException 76217->76212 76218->76216 76220 2720af 76219->76220 76219->76229 76412 281d73 5 API calls __EH_prolog 76220->76412 76222 2720a9 76413 27393c 6 API calls 2 library calls 76222->76413 76223 2720be _CxxThrowException 76223->76229 76225 2720f4 76414 27393c 6 API calls 2 library calls 76225->76414 76227 272108 76228 272135 76227->76228 76415 272e04 62 API calls 2 library calls 76227->76415 76236 272159 76228->76236 76416 272e04 62 API calls 2 library calls 76228->76416 76229->76222 76232 27219a 76229->76232 76417 281d73 5 API calls __EH_prolog 76232->76417 76234 2721a9 _CxxThrowException 76234->76236 76235 27227f 76383 272aa9 76235->76383 76236->76235 76238 272245 76236->76238 76418 281d73 5 API calls __EH_prolog 76236->76418 76241 262fec 3 API calls 76238->76241 76244 27225c 76241->76244 76242 2722d9 76246 272302 76242->76246 76247 262fec 3 API calls 76242->76247 76243 272237 _CxxThrowException 76243->76238 76244->76235 76419 281d73 5 API calls __EH_prolog 76244->76419 76245 262fec 3 API calls 76245->76242 76248 264fc0 5 API calls 76246->76248 76247->76246 76251 272315 76248->76251 76250 272271 _CxxThrowException 76250->76235 76401 27384c 76251->76401 76253 272322 76255 2726c6 76253->76255 76259 2723a1 76253->76259 76254 2728ce 76256 27293a 76254->76256 76271 2728d5 76254->76271 76255->76254 76257 272700 76255->76257 76432 281d73 5 API calls __EH_prolog 76255->76432 76260 2729a5 76256->76260 76261 27293f 76256->76261 76433 2732ec 14 API calls 2 library calls 76257->76433 76269 27247a wcscmp 76259->76269 76285 27248e 76259->76285 76263 2729ae _CxxThrowException 76260->76263 76318 27264d 76260->76318 76440 264eec 16 API calls 76261->76440 76264 2726f2 _CxxThrowException 76264->76257 76265 272713 76267 273a29 5 API calls 76265->76267 76282 272722 76267->76282 76268 27294c 76441 264ea1 8 API calls 76268->76441 76273 2724cf wcscmp 76269->76273 76269->76285 76271->76318 76439 281d73 5 API calls __EH_prolog 76271->76439 76275 2724ef wcscmp 76273->76275 76273->76285 76279 27250f 76275->76279 76275->76285 76276 272953 76280 264fc0 5 API calls 76276->76280 76278 272920 _CxxThrowException 76278->76318 76423 281d73 5 API calls __EH_prolog 76279->76423 76280->76318 76284 2727cf 76282->76284 76288 262fec 3 API calls 76282->76288 76283 27251e _CxxThrowException 76286 27252c 76283->76286 76287 272880 76284->76287 76291 27281f 76284->76291 76435 281d73 5 API calls __EH_prolog 76284->76435 76285->76286 76420 264eec 16 API calls 76285->76420 76421 264ea1 8 API calls 76285->76421 76422 281d73 5 API calls __EH_prolog 76285->76422 76292 272569 76286->76292 76424 272e04 62 API calls 2 library calls 76286->76424 76289 27289b 76287->76289 76296 262fec 3 API calls 76287->76296 76293 2727a9 76288->76293 76289->76318 76438 281d73 5 API calls __EH_prolog 76289->76438 76291->76287 76302 272847 76291->76302 76436 281d73 5 API calls __EH_prolog 76291->76436 76298 27258c 76292->76298 76425 272e04 62 API calls 2 library calls 76292->76425 76293->76284 76434 263563 memmove 76293->76434 76294 2724c1 _CxxThrowException 76294->76273 76296->76289 76300 2725a4 76298->76300 76426 272a61 malloc _CxxThrowException free _CxxThrowException memcpy 76298->76426 76427 264eec 16 API calls 76300->76427 76301 272811 _CxxThrowException 76301->76291 76302->76287 76437 281d73 5 API calls __EH_prolog 76302->76437 76309 2725ad 76428 281b07 49 API calls 76309->76428 76310 2728c0 _CxxThrowException 76310->76254 76311 272839 _CxxThrowException 76311->76302 76312 272872 _CxxThrowException 76312->76287 76314 2725b4 76429 264ea1 8 API calls 76314->76429 76316 2725bb 76317 262fec 3 API calls 76316->76317 76320 2725d6 76316->76320 76317->76320 76318->76121 76319 27261f 76319->76318 76322 262fec 3 API calls 76319->76322 76320->76318 76320->76319 76430 281d73 5 API calls __EH_prolog 76320->76430 76324 27263f 76322->76324 76323 272611 _CxxThrowException 76323->76319 76431 26859e malloc _CxxThrowException free _CxxThrowException 76324->76431 76327 287b52 __EH_prolog 76326->76327 76451 287eec 76327->76451 76329 287ca4 76329->76127 76331 2630ea malloc _CxxThrowException free 76338 287b63 76331->76338 76332 262e04 malloc _CxxThrowException 76332->76338 76334 261e40 free ctype 76334->76338 76336 2a04d2 5 API calls 76336->76338 76338->76329 76338->76331 76338->76332 76338->76334 76338->76336 76339 26429a 3 API calls 76338->76339 76341 287c61 memcpy 76338->76341 76456 2870ea 76338->76456 76459 287a40 76338->76459 76477 287cc3 6 API calls 76338->76477 76478 2712a5 76338->76478 76483 2874eb malloc _CxxThrowException memcpy __EH_prolog ctype 76338->76483 76484 287193 76338->76484 76339->76338 76341->76338 76343->76129 76344->76135 76345->76134 76346->76145 76347->76145 76348->76145 76349->76141 76350->76144 76351->76163 76352->76163 76353->76163 76354->76163 76355->76163 76356->76163 76357->76163 76358->76150 76359->76160 76360->76160 76361->76160 76362->76160 76363->76160 76364->76155 76365->76167 76366->76167 76367->76167 76368->76167 76369->76167 76370->76161 76371->76169 76372->76173 76373->76181 76374->76190 76375->76195 76376->76198 76377->76203 76379 262f1c 2 API calls 76378->76379 76380 2729fe 76379->76380 76442 261e40 free 76380->76442 76382 271f7e 76382->76212 76411 281d73 5 API calls __EH_prolog 76382->76411 76384 272ab3 __EH_prolog 76383->76384 76385 262e8a 2 API calls 76384->76385 76388 272b0f 76384->76388 76386 272af4 76385->76386 76443 272a61 malloc _CxxThrowException free _CxxThrowException memcpy 76386->76443 76387 2722ad 76387->76242 76387->76245 76388->76387 76391 272bc6 76388->76391 76398 272b9f 76388->76398 76445 272cb4 48 API calls 2 library calls 76388->76445 76446 272bf5 8 API calls __EH_prolog 76388->76446 76447 272a61 malloc _CxxThrowException free _CxxThrowException memcpy 76388->76447 76390 272b04 76444 261e40 free 76390->76444 76449 281d73 5 API calls __EH_prolog 76391->76449 76394 272bd6 _CxxThrowException 76394->76387 76398->76387 76448 281d73 5 API calls __EH_prolog 76398->76448 76400 272bb8 _CxxThrowException 76400->76391 76404 273856 __EH_prolog 76401->76404 76402 262e04 malloc _CxxThrowException 76402->76404 76403 262fec 3 API calls 76403->76404 76404->76402 76404->76403 76405 262f88 3 API calls 76404->76405 76406 2a04d2 5 API calls 76404->76406 76408 261e40 free ctype 76404->76408 76409 273917 76404->76409 76450 273b76 malloc _CxxThrowException __EH_prolog ctype 76404->76450 76405->76404 76406->76404 76408->76404 76409->76253 76410->76210 76411->76217 76412->76223 76413->76225 76414->76227 76415->76228 76416->76236 76417->76234 76418->76243 76419->76250 76420->76285 76421->76285 76422->76294 76423->76283 76424->76292 76425->76298 76426->76300 76427->76309 76428->76314 76429->76316 76430->76323 76431->76318 76432->76264 76433->76265 76434->76284 76435->76301 76436->76311 76437->76312 76438->76310 76439->76278 76440->76268 76441->76276 76442->76382 76443->76390 76444->76388 76445->76388 76446->76388 76447->76388 76448->76400 76449->76394 76450->76404 76452 287f14 76451->76452 76453 287ef7 76451->76453 76452->76338 76453->76452 76454 287193 free 76453->76454 76492 261e40 free 76453->76492 76454->76453 76457 262e04 2 API calls 76456->76457 76458 287103 76457->76458 76458->76338 76460 287a4a __EH_prolog 76459->76460 76493 26361b 6 API calls 2 library calls 76460->76493 76462 287a78 76494 26361b 6 API calls 2 library calls 76462->76494 76464 287b20 76496 292db9 free ctype 76464->76496 76466 262e04 malloc _CxxThrowException 76476 287a83 76466->76476 76467 287b2b 76497 292db9 free ctype 76467->76497 76469 287b37 76469->76338 76470 262fec 3 API calls 76470->76476 76471 2a04d2 5 API calls 76471->76476 76472 262fec 3 API calls 76473 287aca wcscmp 76472->76473 76473->76476 76475 261e40 free ctype 76475->76476 76476->76464 76476->76466 76476->76470 76476->76471 76476->76472 76476->76475 76495 287955 malloc _CxxThrowException __EH_prolog ctype 76476->76495 76477->76338 76479 2a04d2 5 API calls 76478->76479 76480 2712ad 76479->76480 76481 261e0c ctype 2 API calls 76480->76481 76482 2712b4 76481->76482 76482->76338 76483->76338 76485 28719d __EH_prolog 76484->76485 76498 292db9 free ctype 76485->76498 76487 2871b3 76499 2871d5 free __EH_prolog ctype 76487->76499 76489 2871bf 76500 261e40 free 76489->76500 76491 2871c7 76491->76338 76492->76453 76493->76462 76494->76476 76495->76476 76496->76467 76497->76469 76498->76487 76499->76489 76500->76491 76501 2a8eb1 76506 2a8ed1 76501->76506 76505 2a8ec9 76507 2a8edb __EH_prolog 76506->76507 76515 2a9267 76507->76515 76511 2a8efd 76520 29e5f1 free ctype 76511->76520 76513 2a8eb9 76513->76505 76514 261e40 free 76513->76514 76514->76505 76516 2a9271 __EH_prolog 76515->76516 76521 261e40 free 76516->76521 76518 2a8ef1 76519 2a922b free CloseHandle GetLastError ctype 76518->76519 76519->76511 76520->76513 76521->76518 76522 26c3bd 76523 26c3db 76522->76523 76524 26c3ca 76522->76524 76524->76523 76526 261e40 free 76524->76526 76526->76523 76527 295475 76528 262fec 3 API calls 76527->76528 76529 2954b4 76528->76529 76530 29c911 24 API calls 76529->76530 76531 2954bb 76530->76531 76535 2fffb1 __setusermatherr 76536 2fffbd 76535->76536 76540 300068 _controlfp 76536->76540 76538 2fffc2 _initterm __getmainargs _initterm __p___initenv 76539 29c27c 76538->76539 76540->76538 76541 29adb7 76542 29adc1 __EH_prolog 76541->76542 76543 2626dd 2 API calls 76542->76543 76544 29ae1d 76543->76544 76545 262e04 2 API calls 76544->76545 76546 29ae38 76545->76546 76547 262e04 2 API calls 76546->76547 76548 29ae44 76547->76548 76549 262e04 2 API calls 76548->76549 76550 29ae68 76549->76550 76551 29ad29 2 API calls 76550->76551 76552 29ae85 76551->76552 76557 29af2d 76552->76557 76554 29ae94 76555 262e04 2 API calls 76554->76555 76556 29aeb2 76555->76556 76558 29af37 __EH_prolog 76557->76558 76569 2734f4 malloc _CxxThrowException __EH_prolog 76558->76569 76560 29afac 76561 262e04 2 API calls 76560->76561 76562 29afbb 76561->76562 76563 262e04 2 API calls 76562->76563 76564 29afca 76563->76564 76565 262e04 2 API calls 76564->76565 76566 29afd9 76565->76566 76567 262e04 2 API calls 76566->76567 76568 29afe8 76567->76568 76568->76554 76569->76560 76570 2e69f0 free 76571 28d948 76601 28dac7 76571->76601 76573 28d94f 76574 262e04 2 API calls 76573->76574 76575 28d97b 76574->76575 76576 262e04 2 API calls 76575->76576 76577 28d987 76576->76577 76580 28d9e7 76577->76580 76609 266404 76577->76609 76582 28da0f 76580->76582 76583 28da36 76580->76583 76634 261e40 free 76582->76634 76585 28da94 76583->76585 76591 262da9 2 API calls 76583->76591 76597 2a04d2 5 API calls 76583->76597 76636 261524 malloc _CxxThrowException __EH_prolog ctype 76583->76636 76637 261e40 free 76583->76637 76638 261e40 free 76585->76638 76587 28d9bf 76632 261e40 free 76587->76632 76588 28da17 76635 261e40 free 76588->76635 76591->76583 76593 28d9c7 76633 261e40 free 76593->76633 76594 28da9c 76639 261e40 free 76594->76639 76597->76583 76598 28d9cf 76602 28dad1 __EH_prolog 76601->76602 76603 262e04 2 API calls 76602->76603 76604 28db33 76603->76604 76605 262e04 2 API calls 76604->76605 76606 28db3f 76605->76606 76607 262e04 2 API calls 76606->76607 76608 28db55 76607->76608 76608->76573 76610 26631f 9 API calls 76609->76610 76611 266414 76610->76611 76612 262f88 3 API calls 76611->76612 76613 266423 76611->76613 76612->76613 76614 262f88 3 API calls 76613->76614 76615 26643d 76614->76615 76616 277e5a 76615->76616 76617 277e64 __EH_prolog 76616->76617 76640 278179 76617->76640 76620 287ebb free 76621 277e7f 76620->76621 76622 262fec 3 API calls 76621->76622 76623 277e9a 76622->76623 76624 262da9 2 API calls 76623->76624 76625 277ea7 76624->76625 76626 266c72 44 API calls 76625->76626 76627 277eb7 76626->76627 76645 261e40 free 76627->76645 76629 277ecb 76630 277ed8 76629->76630 76646 26757d GetLastError 76629->76646 76630->76580 76630->76587 76632->76593 76633->76598 76634->76588 76635->76598 76636->76583 76637->76583 76638->76594 76639->76598 76643 278906 76640->76643 76641 277e77 76641->76620 76643->76641 76647 278804 free ctype 76643->76647 76648 261e40 free 76643->76648 76645->76629 76646->76630 76647->76643 76648->76643 76649 26b144 76650 26b153 76649->76650 76652 26b159 76649->76652 76651 2711b4 107 API calls 76650->76651 76651->76652 76653 2e6bc6 76654 2e6bcd 76653->76654 76656 2e6bca 76653->76656 76655 2e6bd1 malloc 76654->76655 76654->76656 76655->76656 76657 2a0343 76662 2a035f 76657->76662 76660 2a0358 76663 2a0369 __EH_prolog 76662->76663 76679 27139e 76663->76679 76668 2a0143 ctype free 76669 2a039a 76668->76669 76689 261e40 free 76669->76689 76671 2a03a2 76690 261e40 free 76671->76690 76673 2a03aa 76691 2a03d8 76673->76691 76678 261e40 free 76678->76660 76680 2713ae 76679->76680 76682 2713b3 76679->76682 76707 2f7ea0 SetEvent GetLastError 76680->76707 76683 2a01c4 76682->76683 76686 2a01ce __EH_prolog 76683->76686 76684 2a0203 76708 261e40 free 76684->76708 76686->76684 76709 261e40 free 76686->76709 76687 2a020b 76687->76668 76689->76671 76690->76673 76692 2a03e2 __EH_prolog 76691->76692 76693 27139e ctype 2 API calls 76692->76693 76694 2a03fb 76693->76694 76710 2f7d50 76694->76710 76696 2a0403 76697 2f7d50 ctype 2 API calls 76696->76697 76698 2a040b 76697->76698 76699 2f7d50 ctype 2 API calls 76698->76699 76700 2a03b7 76699->76700 76701 2a004a 76700->76701 76702 2a0054 __EH_prolog 76701->76702 76716 261e40 free 76702->76716 76704 2a0067 76717 261e40 free 76704->76717 76706 2a006f 76706->76660 76706->76678 76707->76682 76708->76687 76709->76686 76711 2f7d59 CloseHandle 76710->76711 76712 2f7d7b 76710->76712 76713 2f7d75 76711->76713 76714 2f7d64 GetLastError 76711->76714 76712->76696 76713->76712 76714->76712 76715 2f7d6e 76714->76715 76715->76696 76716->76704 76717->76706 76718 28d3c2 76719 28d3e9 76718->76719 76720 26965d VariantClear 76719->76720 76721 28d42a 76720->76721 76722 28d883 2 API calls 76721->76722 76723 28d4b1 76722->76723 76809 288d4a 76723->76809 76726 288b05 VariantClear 76729 28d4e3 76726->76729 76727 282a72 2 API calls 76728 28d54c 76727->76728 76730 262fec 3 API calls 76728->76730 76729->76727 76731 28d594 76730->76731 76732 28d5cd 76731->76732 76733 28d742 76731->76733 76735 28d7d9 76732->76735 76826 289317 76732->76826 76841 28cd49 malloc _CxxThrowException free 76733->76841 76844 261e40 free 76735->76844 76736 28d754 76739 262fec 3 API calls 76736->76739 76742 28d763 76739->76742 76740 28d7e1 76845 261e40 free 76740->76845 76842 261e40 free 76742->76842 76744 28d5f1 76747 2a04d2 5 API calls 76744->76747 76746 28d7e9 76749 28326b free 76746->76749 76750 28d5f9 76747->76750 76748 28d76b 76843 261e40 free 76748->76843 76753 28d69a 76749->76753 76832 28e332 76750->76832 76755 28d773 76757 28326b free 76755->76757 76757->76753 76758 28d610 76839 261e40 free 76758->76839 76760 28d618 76761 28326b free 76760->76761 76762 28d2a8 76761->76762 76762->76753 76784 28d883 76762->76784 76765 262fec 3 API calls 76766 28d361 76765->76766 76767 262fec 3 API calls 76766->76767 76768 28d36d 76767->76768 76796 28d0e1 76768->76796 76770 28d380 76771 28d38a 76770->76771 76772 28d665 76770->76772 76774 2a04d2 5 API calls 76771->76774 76773 28d68b 76772->76773 76840 28cd49 malloc _CxxThrowException free 76772->76840 76776 28326b free 76773->76776 76777 28d392 76774->76777 76776->76753 76779 28e332 2 API calls 76777->76779 76778 28d67c 76780 262fec 3 API calls 76778->76780 76781 28d3a1 76779->76781 76780->76773 76782 28326b free 76781->76782 76783 28d3b0 76782->76783 76785 28d88d __EH_prolog 76784->76785 76786 262e04 2 API calls 76785->76786 76787 28d8c6 76786->76787 76788 262e04 2 API calls 76787->76788 76789 28d8d2 76788->76789 76790 262e04 2 API calls 76789->76790 76791 28d8de 76790->76791 76792 282b63 2 API calls 76791->76792 76793 28d8fa 76792->76793 76794 282b63 2 API calls 76793->76794 76795 28d34f 76794->76795 76795->76765 76797 28d0eb __EH_prolog 76796->76797 76798 28d138 76797->76798 76799 28d10b 76797->76799 76801 261e0c ctype 2 API calls 76798->76801 76808 28d112 76798->76808 76800 261e0c ctype 2 API calls 76799->76800 76800->76808 76802 28d14b 76801->76802 76803 262fec 3 API calls 76802->76803 76804 28d17b 76803->76804 76846 267b41 28 API calls 76804->76846 76806 28d18a 76806->76808 76847 26757d GetLastError 76806->76847 76808->76770 76810 288d54 __EH_prolog 76809->76810 76824 288da4 76810->76824 76848 262b55 malloc _CxxThrowException free _CxxThrowException ctype 76810->76848 76811 288e09 76813 26965d VariantClear 76811->76813 76812 288e15 76814 288e2d 76812->76814 76815 288e5e 76812->76815 76816 288e21 76812->76816 76818 288e11 76813->76818 76814->76815 76820 288e2b 76814->76820 76817 26965d VariantClear 76815->76817 76849 263097 malloc _CxxThrowException free SysStringLen ctype 76816->76849 76817->76818 76818->76726 76822 26965d VariantClear 76820->76822 76823 288e47 76822->76823 76823->76818 76850 288e7c 6 API calls __EH_prolog 76823->76850 76824->76811 76824->76812 76824->76818 76830 289321 __EH_prolog 76826->76830 76827 289360 76828 26965d VariantClear 76827->76828 76829 2893d0 76828->76829 76829->76735 76829->76744 76830->76827 76851 269686 VariantClear 76830->76851 76833 28e33c __EH_prolog 76832->76833 76834 261e0c ctype 2 API calls 76833->76834 76835 28e34a 76834->76835 76837 28d608 76835->76837 76852 28e3d1 malloc _CxxThrowException __EH_prolog 76835->76852 76838 261e40 free 76837->76838 76838->76758 76839->76760 76840->76778 76841->76736 76842->76748 76843->76755 76844->76740 76845->76746 76846->76806 76847->76808 76848->76824 76849->76820 76850->76818 76851->76827 76852->76837 76853 28a7c5 76872 28a7e9 76853->76872 76905 28a96b 76853->76905 76854 28ade3 76958 261e40 free 76854->76958 76856 28a952 76856->76905 76939 28e0b0 6 API calls 76856->76939 76857 28adeb 76959 261e40 free 76857->76959 76861 28ac1e 76945 261e40 free 76861->76945 76862 28ae99 76866 261e0c ctype 2 API calls 76862->76866 76865 2a04d2 malloc _CxxThrowException free _CxxThrowException memcpy 76869 28adf3 76865->76869 76867 28aea9 memset memset 76866->76867 76870 28aedd 76867->76870 76868 28ac26 76946 261e40 free 76868->76946 76869->76862 76869->76865 76960 261e40 free 76870->76960 76872->76856 76878 2a04d2 5 API calls 76872->76878 76938 28e0b0 6 API calls 76872->76938 76874 28aee5 76961 261e40 free 76874->76961 76878->76872 76879 28aef0 76962 261e40 free 76879->76962 76882 28c430 76964 261e40 free 76882->76964 76885 28c438 76965 261e40 free 76885->76965 76886 28ac6c 76947 261e40 free 76886->76947 76890 28c443 76966 261e40 free 76890->76966 76891 28ac85 76948 261e40 free 76891->76948 76893 28c44e 76967 261e40 free 76893->76967 76896 28ac2e 76963 261e40 free 76896->76963 76897 28c459 76899 28ad88 76955 288125 free ctype 76899->76955 76903 28ad17 76952 288125 free ctype 76903->76952 76904 28ad93 76956 261e40 free 76904->76956 76905->76854 76905->76861 76905->76886 76905->76899 76905->76903 76906 28acbc 76905->76906 76920 27101c 76905->76920 76923 2898f2 76905->76923 76929 28cc6f 76905->76929 76940 289531 5 API calls __EH_prolog 76905->76940 76941 2880c1 malloc _CxxThrowException __EH_prolog 76905->76941 76942 28c820 5 API calls 2 library calls 76905->76942 76943 28814d 6 API calls 76905->76943 76944 288125 free ctype 76905->76944 76949 288125 free ctype 76906->76949 76910 28acc7 76950 261e40 free 76910->76950 76911 28ad3c 76953 261e40 free 76911->76953 76912 28adac 76957 261e40 free 76912->76957 76916 28ace0 76951 261e40 free 76916->76951 76917 28ad55 76954 261e40 free 76917->76954 76922 26b95a 6 API calls 76920->76922 76921 271028 76921->76905 76922->76921 76924 2898fc __EH_prolog 76923->76924 76968 289987 76924->76968 76926 289911 76928 289970 76926->76928 76972 28ef8d 12 API calls 2 library calls 76926->76972 76928->76905 77012 2acf91 76929->77012 77020 2a5505 76929->77020 77024 2af445 76929->77024 76930 28cc8b 76934 28cccb 76930->76934 77030 28979e VariantClear __EH_prolog 76930->77030 76932 28ccb1 76932->76934 77031 28cae9 VariantClear 76932->77031 76934->76905 76938->76872 76939->76905 76940->76905 76941->76905 76942->76905 76943->76905 76944->76905 76945->76868 76946->76896 76947->76891 76948->76896 76949->76910 76950->76916 76951->76896 76952->76911 76953->76917 76954->76896 76955->76904 76956->76912 76957->76896 76958->76857 76959->76869 76960->76874 76961->76879 76962->76896 76963->76882 76964->76885 76965->76890 76966->76893 76967->76897 76969 289991 __EH_prolog 76968->76969 76973 2b80aa 76969->76973 76970 2899a8 76970->76926 76972->76928 76974 2b80b4 __EH_prolog 76973->76974 76975 261e0c ctype 2 API calls 76974->76975 76976 2b80bf 76975->76976 76977 2b80d3 76976->76977 76979 2abdb5 76976->76979 76977->76970 76980 2abdbf __EH_prolog 76979->76980 76985 2abe69 76980->76985 76982 2abdef 76983 262e04 2 API calls 76982->76983 76984 2abe16 76983->76984 76984->76977 76986 2abe73 __EH_prolog 76985->76986 76989 2a5e2b 76986->76989 76988 2abe7f 76988->76982 76990 2a5e35 __EH_prolog 76989->76990 76995 2a08b6 76990->76995 76992 2a5e41 77000 27dfc9 malloc _CxxThrowException __EH_prolog 76992->77000 76994 2a5e57 76994->76988 77001 269c60 76995->77001 76997 2a08c4 77006 269c8f GetModuleHandleA GetProcAddress 76997->77006 76999 2a08f3 __aulldiv 76999->76992 77000->76994 77011 269c4d GetCurrentProcess GetProcessAffinityMask 77001->77011 77003 269c6e 77004 269c80 GetSystemInfo 77003->77004 77005 269c79 77003->77005 77004->76997 77005->76997 77007 269cc4 GlobalMemoryStatusEx 77006->77007 77008 269cef GlobalMemoryStatus 77006->77008 77007->77008 77010 269cce 77007->77010 77009 269d08 77008->77009 77009->77010 77010->76999 77011->77003 77013 2acf9b __EH_prolog 77012->77013 77014 2af445 14 API calls 77013->77014 77015 2ad018 77014->77015 77017 2ad01f 77015->77017 77032 2b1511 77015->77032 77017->76930 77018 2ad08b 77018->77017 77038 2b2c5d 11 API calls 2 library calls 77018->77038 77021 2a550f __EH_prolog 77020->77021 77164 2a4e8a 77021->77164 77025 2af455 77024->77025 77380 271092 77025->77380 77028 2af478 77028->76930 77030->76932 77031->76934 77033 2b151b __EH_prolog 77032->77033 77039 2b10d3 77033->77039 77036 2b1589 77036->77018 77037 2b1552 _CxxThrowException 77037->77018 77038->77017 77040 2b10dd __EH_prolog 77039->77040 77041 2ad1b7 free 77040->77041 77042 2b10f2 77041->77042 77043 2b12ef 77042->77043 77044 2b11f4 77042->77044 77047 271168 10 API calls 77042->77047 77043->77036 77043->77037 77044->77043 77070 26b95a 6 API calls 77044->77070 77045 2b139e 77045->77043 77046 2b13c4 77045->77046 77048 261e0c ctype 2 API calls 77045->77048 77071 271168 77046->77071 77047->77044 77048->77046 77050 2b13da 77053 2b13f9 77050->77053 77063 2b13de 77050->77063 77109 2aef67 _CxxThrowException 77050->77109 77074 2af047 77053->77074 77056 2b14ba 77113 2b0943 50 API calls 2 library calls 77056->77113 77058 2b1450 77078 2b06ae 77058->77078 77061 2b14e7 77114 292db9 free ctype 77061->77114 77115 261e40 free 77063->77115 77066 2b148e 77067 2af047 _CxxThrowException 77066->77067 77068 2b14ac 77067->77068 77068->77056 77112 2aef67 _CxxThrowException 77068->77112 77070->77045 77072 27111c 10 API calls 77071->77072 77073 27117b 77072->77073 77073->77050 77075 2af063 77074->77075 77076 2af072 77075->77076 77116 2aef67 _CxxThrowException 77075->77116 77076->77056 77076->77058 77110 2aef67 _CxxThrowException 77076->77110 77079 2b06b8 __EH_prolog 77078->77079 77117 2b03f4 77079->77117 77081 2b0877 77083 2ab8dc ctype free 77081->77083 77082 2712a5 5 API calls 77107 2b0715 77082->77107 77084 2b08a6 77083->77084 77147 261e40 free 77084->77147 77085 2b08e3 _CxxThrowException 77087 2b08f7 77085->77087 77092 2ab8dc ctype free 77087->77092 77088 2b08ae 77148 261e40 free 77088->77148 77089 26429a 3 API calls 77089->77107 77091 2b08b6 77149 261e40 free 77091->77149 77094 2b0914 77092->77094 77151 261e40 free 77094->77151 77095 261e0c ctype 2 API calls 77095->77107 77096 2b08be 77150 2ac149 free ctype 77096->77150 77099 2b091c 77152 261e40 free 77099->77152 77100 2b08d0 77100->77061 77100->77066 77111 2aef67 _CxxThrowException 77100->77111 77102 2b0924 77153 261e40 free 77102->77153 77104 2a81ec 29 API calls 77104->77107 77105 2b092c 77154 2ac149 free ctype 77105->77154 77107->77081 77107->77082 77107->77085 77107->77087 77107->77089 77107->77095 77107->77104 77108 2aef67 _CxxThrowException 77107->77108 77108->77107 77109->77053 77110->77058 77111->77066 77112->77056 77113->77061 77114->77063 77115->77043 77116->77076 77118 2af047 _CxxThrowException 77117->77118 77119 2b0407 77118->77119 77120 2b0475 77119->77120 77122 2af047 _CxxThrowException 77119->77122 77121 2b049a 77120->77121 77158 2afa3f 22 API calls 2 library calls 77120->77158 77123 2b04b8 77121->77123 77159 2b159a malloc _CxxThrowException free ctype 77121->77159 77125 2b0421 77122->77125 77124 2b04e8 77123->77124 77128 2b04cd 77123->77128 77161 2b7c4a malloc _CxxThrowException free ctype 77124->77161 77129 2b043e 77125->77129 77155 2aef67 _CxxThrowException 77125->77155 77160 2afff0 9 API calls 2 library calls 77128->77160 77156 2af93c 7 API calls 2 library calls 77129->77156 77131 2b0492 77133 2af047 _CxxThrowException 77131->77133 77133->77121 77135 2b04db 77140 2af047 _CxxThrowException 77135->77140 77137 2b04e3 77142 2b054a 77137->77142 77163 2aef67 _CxxThrowException 77137->77163 77138 2b0446 77139 2b046d 77138->77139 77157 2aef67 _CxxThrowException 77138->77157 77141 2af047 _CxxThrowException 77139->77141 77140->77137 77141->77120 77142->77107 77143 2b04f3 77143->77137 77162 27089e malloc _CxxThrowException free _CxxThrowException memcpy 77143->77162 77147->77088 77148->77091 77149->77096 77150->77100 77151->77099 77152->77102 77153->77105 77154->77100 77155->77129 77156->77138 77157->77139 77158->77131 77159->77123 77160->77135 77161->77143 77162->77143 77163->77142 77165 2a4e94 __EH_prolog 77164->77165 77166 262e04 2 API calls 77165->77166 77213 2a4f1d 77165->77213 77167 2a4ed7 77166->77167 77296 277fc5 77167->77296 77169 2a4f0a 77171 26965d VariantClear 77169->77171 77170 2a4f37 77172 2a4f63 77170->77172 77173 2a4f41 77170->77173 77174 2a4f15 77171->77174 77176 262f88 3 API calls 77172->77176 77175 26965d VariantClear 77173->77175 77317 261e40 free 77174->77317 77179 2a4f4c 77175->77179 77177 2a4f71 77176->77177 77180 26965d VariantClear 77177->77180 77318 261e40 free 77179->77318 77182 2a4f80 77180->77182 77319 275bcf malloc _CxxThrowException 77182->77319 77184 2a4f9a 77185 262e47 2 API calls 77184->77185 77186 2a4fad 77185->77186 77187 262f1c 2 API calls 77186->77187 77188 2a4fbd 77187->77188 77189 262e04 2 API calls 77188->77189 77190 2a4fd1 77189->77190 77191 262e04 2 API calls 77190->77191 77192 2a4fdd 77191->77192 77193 2a5404 77192->77193 77320 275bcf malloc _CxxThrowException 77192->77320 77358 261e40 free 77193->77358 77195 2a540c 77359 261e40 free 77195->77359 77197 2a5414 77360 261e40 free 77197->77360 77200 2a5099 77202 262da9 2 API calls 77200->77202 77201 2a541c 77361 261e40 free 77201->77361 77204 2a50a9 77202->77204 77206 262fec 3 API calls 77204->77206 77205 2a5424 77362 261e40 free 77205->77362 77208 2a50b6 77206->77208 77321 261e40 free 77208->77321 77209 2a542c 77363 261e40 free 77209->77363 77212 2a50be 77322 261e40 free 77212->77322 77213->76930 77215 2a50cd 77216 262f88 3 API calls 77215->77216 77217 2a50e3 77216->77217 77218 2a5100 77217->77218 77219 2a50f1 77217->77219 77323 263044 malloc _CxxThrowException free ctype 77218->77323 77220 2630ea 3 API calls 77219->77220 77222 2a50fe 77220->77222 77324 271029 6 API calls 77222->77324 77224 2a511a 77225 2a516b 77224->77225 77226 2a5120 77224->77226 77331 27089e malloc _CxxThrowException free _CxxThrowException memcpy 77225->77331 77325 261e40 free 77226->77325 77229 2a5187 77232 2a04d2 5 API calls 77229->77232 77230 2a5128 77326 261e40 free 77230->77326 77234 2a51ba 77232->77234 77233 2a5130 77327 261e40 free 77233->77327 77332 2a0516 malloc _CxxThrowException ctype 77234->77332 77236 2a5138 77328 261e40 free 77236->77328 77239 2a51c5 77244 2a522d 77239->77244 77245 2a51f5 77239->77245 77240 2a5140 77329 261e40 free 77240->77329 77242 2a5148 77330 261e40 free 77242->77330 77246 262e04 2 API calls 77244->77246 77333 261e40 free 77245->77333 77293 2a5235 77246->77293 77248 2a51fd 77334 261e40 free 77248->77334 77251 2a5205 77335 261e40 free 77251->77335 77252 2a532e 77344 261e40 free 77252->77344 77255 2a520d 77336 261e40 free 77255->77336 77257 2a5347 77257->77193 77259 2a5358 77257->77259 77258 2a5215 77337 261e40 free 77258->77337 77345 261e40 free 77259->77345 77262 2a53a3 77351 261e40 free 77262->77351 77263 2a521d 77338 261e40 free 77263->77338 77264 2a5360 77346 261e40 free 77264->77346 77269 2a5368 77347 261e40 free 77269->77347 77271 2a53bc 77352 261e40 free 77271->77352 77272 2a5370 77348 261e40 free 77272->77348 77276 2a53c4 77353 261e40 free 77276->77353 77277 2a5378 77349 261e40 free 77277->77349 77279 2a04d2 5 API calls 77279->77293 77281 2a53cc 77354 261e40 free 77281->77354 77282 2a5380 77350 261e40 free 77282->77350 77286 2a53d4 77355 261e40 free 77286->77355 77288 2a53dc 77356 261e40 free 77288->77356 77290 2a53e4 77357 261e40 free 77290->77357 77293->77252 77293->77262 77293->77279 77294 262e04 2 API calls 77293->77294 77339 2a545c 5 API calls 2 library calls 77293->77339 77340 271029 6 API calls 77293->77340 77341 27089e malloc _CxxThrowException free _CxxThrowException memcpy 77293->77341 77342 2a0516 malloc _CxxThrowException ctype 77293->77342 77343 261e40 free 77293->77343 77294->77293 77297 277fcf __EH_prolog 77296->77297 77298 277ff4 77297->77298 77299 278061 77297->77299 77301 27805c 77297->77301 77302 278019 77297->77302 77307 27800a 77298->77307 77364 26950d 77298->77364 77299->77301 77315 278025 77299->77315 77372 269630 VariantClear 77301->77372 77302->77298 77305 27801e 77302->77305 77303 2780b8 77308 26965d VariantClear 77303->77308 77309 278042 77305->77309 77310 278022 77305->77310 77373 269736 VariantClear 77307->77373 77312 2780c0 77308->77312 77370 269597 VariantClear 77309->77370 77313 278032 77310->77313 77310->77315 77312->77169 77312->77170 77369 269604 VariantClear 77313->77369 77315->77307 77371 2695df VariantClear 77315->77371 77317->77213 77318->77213 77319->77184 77320->77200 77321->77212 77322->77215 77323->77222 77324->77224 77325->77230 77326->77233 77327->77236 77328->77240 77329->77242 77330->77213 77331->77229 77332->77239 77333->77248 77334->77251 77335->77255 77336->77258 77337->77263 77338->77213 77339->77293 77340->77293 77341->77293 77342->77293 77343->77293 77344->77257 77345->77264 77346->77269 77347->77272 77348->77277 77349->77282 77350->77213 77351->77271 77352->77276 77353->77281 77354->77286 77355->77288 77356->77290 77357->77213 77358->77195 77359->77197 77360->77201 77361->77205 77362->77209 77363->77213 77374 269767 77364->77374 77366 269518 SysAllocStringLen 77367 26954f 77366->77367 77368 269539 _CxxThrowException 77366->77368 77367->77307 77368->77367 77369->77307 77370->77307 77371->77307 77372->77307 77373->77303 77375 269770 77374->77375 77376 269779 77374->77376 77375->77366 77379 269686 VariantClear 77376->77379 77378 269780 77378->77366 77379->77378 77382 26b95a 6 API calls 77380->77382 77381 2710aa 77381->77028 77383 2af1b2 77381->77383 77382->77381 77384 2af1bc __EH_prolog 77383->77384 77385 271168 10 API calls 77384->77385 77386 2af1d3 77385->77386 77387 2af21c _CxxThrowException 77386->77387 77388 2af231 memcpy 77386->77388 77389 2af1e6 77386->77389 77387->77388 77391 2af24c 77388->77391 77389->77028 77390 2af2f0 memmove 77390->77391 77391->77389 77391->77390 77392 2af31a memcpy 77391->77392 77392->77389 77393 2642d1 77394 2642bd 77393->77394 77395 2642c5 77394->77395 77396 261e0c ctype 2 API calls 77394->77396 77396->77395 77397 271ade 77398 271ae8 __EH_prolog 77397->77398 77448 2613f5 77398->77448 77401 271b32 6 API calls 77403 271b8d 77401->77403 77412 271bf8 77403->77412 77466 271ea4 9 API calls 77403->77466 77404 271b24 _CxxThrowException 77404->77401 77406 271bdf 77407 2627bb 3 API calls 77406->77407 77408 271bec 77407->77408 77467 261e40 free 77408->77467 77410 271c89 77462 271eb9 77410->77462 77412->77410 77468 281d73 5 API calls __EH_prolog 77412->77468 77415 271cb2 _CxxThrowException 77415->77410 77449 2613ff __EH_prolog 77448->77449 77450 287ebb free 77449->77450 77451 26142b 77450->77451 77452 261438 77451->77452 77469 261212 free ctype 77451->77469 77453 261e0c ctype 2 API calls 77452->77453 77458 26144d 77453->77458 77455 2614f4 77455->77401 77465 281d73 5 API calls __EH_prolog 77455->77465 77456 2a04d2 5 API calls 77456->77458 77458->77455 77458->77456 77460 261507 77458->77460 77470 261265 5 API calls 2 library calls 77458->77470 77471 261524 malloc _CxxThrowException __EH_prolog ctype 77458->77471 77461 262fec 3 API calls 77460->77461 77461->77455 77472 269313 GetCurrentProcess OpenProcessToken 77462->77472 77465->77404 77466->77406 77467->77412 77468->77415 77469->77452 77470->77458 77471->77458 77473 269390 77472->77473 77474 26933a LookupPrivilegeValueW 77472->77474 77475 269382 77474->77475 77476 26934c AdjustTokenPrivileges 77474->77476 77478 269385 CloseHandle 77475->77478 77476->77475 77477 269372 GetLastError 77476->77477 77477->77478 77478->77473 77479 29acd3 77480 29ace0 77479->77480 77481 29acf1 77479->77481 77480->77481 77485 29acf8 77480->77485 77487 29c0b3 __EH_prolog 77485->77487 77486 29c0ed 77494 261e40 free 77486->77494 77487->77486 77490 287193 free 77487->77490 77493 261e40 free 77487->77493 77489 29aceb 77492 261e40 free 77489->77492 77490->77487 77492->77481 77493->77487 77494->77489 77495 2df190 77496 261e0c ctype 2 API calls 77495->77496 77497 2df1b0 77496->77497 77499 2e69d0 77500 2e69d7 malloc 77499->77500 77501 2e69d4 77499->77501 77502 26b5d9 77503 26b5e6 77502->77503 77504 26b5f7 77502->77504 77503->77504 77508 26b5fe 77503->77508 77509 26b608 __EH_prolog 77508->77509 77515 2e6a40 VirtualFree 77509->77515 77511 26b63d 77512 26764c CloseHandle 77511->77512 77513 26b5f1 77512->77513 77514 261e40 free 77513->77514 77514->77504 77515->77511

                              Executed Functions

                              Function 00269313 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1073 269313-269338 GetCurrentProcess OpenProcessToken 1074 269390 1073->1074 1075 26933a-26934a LookupPrivilegeValueW 1073->1075 1076 269393-269398 1074->1076 1077 269382 1075->1077 1078 26934c-269370 AdjustTokenPrivileges 1075->1078 1080 269385-26938e CloseHandle 1077->1080 1078->1077 1079 269372-269380 GetLastError 1078->1079 1079->1080 1080->1076
                              APIs
                              • GetCurrentProcess.KERNEL32(00000020,00271EC5,?,7597AB50,?,?,?,?,00271EC5,00271CEF), ref: 00269329
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,00271EC5,00271CEF), ref: 00269330
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeRestorePrivilege,?), ref: 00269342
                              • AdjustTokenPrivileges.KERNELBASE(00271EC5,00000000,?,00000000,00000000,00000000), ref: 00269368
                              • GetLastError.KERNEL32 ref: 00269372
                              • CloseHandle.KERNELBASE(00271EC5,?,?,?,?,00271EC5,00271CEF), ref: 00269388
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeRestorePrivilege
                              • API String ID: 3398352648-1684392131
                              • Opcode ID: 88cc2dce73890c888e116f7a58197b13a0b95e83482cdebfe2ae87f512f57362
                              • Instruction ID: 5d71b7cb41bbe21bd718f289713ebf512b6247cc29610bef359b228ffc2fd17f
                              • Opcode Fuzzy Hash: 88cc2dce73890c888e116f7a58197b13a0b95e83482cdebfe2ae87f512f57362
                              • Instruction Fuzzy Hash: 1301D2729A6218AFCB115FF59C59BDF7F7CEF05340F0412A5F842E2280DA708699C7A0
                              Function 00273D66 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1081 273d66-273d9c call 2ffb10 GetCurrentProcess call 273e04 OpenProcessToken 1086 273de3-273dfe call 273e04 1081->1086 1087 273d9e-273dbe LookupPrivilegeValueW 1081->1087 1087->1086 1089 273dc0-273dd3 AdjustTokenPrivileges 1087->1089 1089->1086 1091 273dd5-273de1 GetLastError 1089->1091 1091->1086
                              APIs
                              • __EH_prolog.LIBCMT ref: 00273D6B
                              • GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273D7D
                              • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273D94
                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00273DB6
                              • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273DCB
                              • GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273DD5
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorH_prologLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeSecurityPrivilege
                              • API String ID: 3475889169-2333288578
                              • Opcode ID: b813986f636a1aa3660d231169c0adedbd188ae202bdeaebb53ff4ade536ce51
                              • Instruction ID: cfac329cf444490cffee00013b920c3f5b697d70785640837e41ebe4d87ae732
                              • Opcode Fuzzy Hash: b813986f636a1aa3660d231169c0adedbd188ae202bdeaebb53ff4ade536ce51
                              • Instruction Fuzzy Hash: E81152B195111A9FDB11EFA4CD95AFEFBBCFB04744F00462AE816E2190D7758A08DA60
                              Function 002A81EC Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 995COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002A81F1
                                • Part of subcall function 002AF749: _CxxThrowException.MSVCRT(?,00314A58), ref: 002AF792
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrow
                              • String ID:
                              • API String ID: 461045715-3916222277
                              • Opcode ID: 7c8774ccc22c83bcac0d7794f13336fbdd4eaeaa0871a8f8cfc76e0fdba4df53
                              • Instruction ID: 74658113cddafc589297e099597da4abafb84721efd7b433a86a9966f66a6a49
                              • Opcode Fuzzy Hash: 7c8774ccc22c83bcac0d7794f13336fbdd4eaeaa0871a8f8cfc76e0fdba4df53
                              • Instruction Fuzzy Hash: FD929E3091024ADFDF15DFA8C884BAEBBB1BF1A304F244099E805AB291DF759D65CF61
                              Function 00266868 Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0026686D
                                • Part of subcall function 00266848: FindClose.KERNELBASE(00000000,?,00266880), ref: 00266853
                              • FindFirstFileW.KERNELBASE(?,-00000268,?,00000000), ref: 002668A5
                              • FindFirstFileW.KERNELBASE(?,-00000268,00000000,?,00000000), ref: 002668DE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: Find$FileFirst$CloseH_prolog
                              • String ID:
                              • API String ID: 3371352514-0
                              • Opcode ID: 1048a7cb93fe5d0899da3d50533ade3fa76776ebe620ac571b557194ce2d940d
                              • Instruction ID: 6237a32745a139eb188cda58aec21dac5aebc841ed87bf516fffc23dfb6eaa24
                              • Opcode Fuzzy Hash: 1048a7cb93fe5d0899da3d50533ade3fa76776ebe620ac571b557194ce2d940d
                              • Instruction Fuzzy Hash: 3611D03142020ADBCB10EFA4D8595EDB778EF50324F104329E96057191DB328EE9DF80
                              Function 0029A013 Relevance: 60.2, APIs: 15, Strings: 19, Instructions: 690COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 29a013-29a01a 1 29a37a-29a544 call 2a04d2 call 261524 call 2a04d2 call 261524 call 261e0c 0->1 2 29a020-29a02d call 271ac8 0->2 61 29a551 1->61 62 29a546-29a54f call 29b0fa 1->62 8 29a22e-29a235 2->8 9 29a033-29a03a 2->9 10 29a23b-29a24d call 29b4f6 8->10 11 29a367-29a375 call 29b55f 8->11 13 29a03c-29a042 9->13 14 29a054-29a089 call 2992d3 9->14 28 29a259-29a2fb call 287ebb call 2627bb call 2626dd call 283d70 call 29ad99 call 2627bb 10->28 29 29a24f-29a253 10->29 27 29ac23-29ac2a 11->27 13->14 19 29a044-29a04f call 2630ea 13->19 25 29a099 14->25 26 29a08b-29a091 14->26 19->14 33 29a09d-29a0de call 262fec call 29b369 25->33 26->25 32 29a093-29a097 26->32 34 29ac3a-29ac66 call 29b96d call 261e40 call 283247 27->34 35 29ac2c-29ac33 27->35 94 29a2fd 28->94 95 29a303-29a362 call 29b6ab call 292db9 call 261e40 * 2 call 29bff8 28->95 29->28 32->33 57 29a0ea-29a0fa 33->57 58 29a0e0-29a0e4 33->58 66 29ac68-29ac6a 34->66 67 29ac6e-29acb5 call 261e40 call 2611c2 call 29be0c call 292db9 34->67 35->34 39 29ac35 35->39 44 29ac35 call 29b988 39->44 44->34 63 29a10d 57->63 64 29a0fc-29a102 57->64 58->57 70 29a553-29a55c 61->70 62->70 72 29a114-29a19e call 262fec call 287ebb call 29ad99 63->72 64->63 71 29a104-29a10b 64->71 66->67 77 29a55e-29a560 70->77 78 29a564-29a5c1 call 262fec call 29b277 70->78 71->72 102 29a1a2 call 28f8e0 72->102 77->78 96 29a5cd-29a652 call 29ad06 call 29bf3e call 273a29 call 262e04 call 284345 78->96 97 29a5c3-29a5c7 78->97 94->95 95->27 137 29a654-29a671 call 28375c call 29b96d 96->137 138 29a676-29a6c8 call 282096 96->138 97->96 106 29a1a7-29a1b1 102->106 110 29a1c0-29a1c9 106->110 111 29a1b3-29a1bb call 29c7d7 106->111 116 29a1cb 110->116 117 29a1d1-29a229 call 29b6ab call 292db9 call 261e40 call 29bfa4 call 29940b 110->117 111->110 116->117 117->27 137->138 143 29a6cd-29a6d6 138->143 146 29a6d8-29a6dd call 29c7d7 143->146 147 29a6e2-29a6e5 143->147 146->147 150 29a72e-29a73a 147->150 151 29a6e7-29a6ee 147->151 152 29a73c-29a74a call 261fa0 150->152 153 29a79e-29a7aa 150->153 154 29a6f0-29a71d call 261fa0 fputs call 261fa0 call 261fb3 call 261fa0 151->154 155 29a722-29a725 151->155 167 29a74c-29a753 152->167 168 29a755-29a799 fputs call 262201 call 261fa0 fputs call 262201 call 261fa0 152->168 156 29a7d9-29a7e5 153->156 157 29a7ac-29a7b2 153->157 154->155 155->150 158 29a727 155->158 163 29a818-29a81a 156->163 164 29a7e7-29a7ed 156->164 157->156 161 29a7b4-29a7d4 fputs call 262201 call 261fa0 157->161 158->150 161->156 169 29a899-29a8a5 163->169 172 29a81c-29a82b 163->172 164->169 170 29a7f3-29a813 fputs call 262201 call 261fa0 164->170 167->153 167->168 168->153 176 29a8e9-29a8ed 169->176 177 29a8a7-29a8ad 169->177 170->163 179 29a82d-29a84c fputs call 262201 call 261fa0 172->179 180 29a851-29a85d 172->180 182 29a8ef 176->182 183 29a8f6-29a8f8 176->183 177->182 187 29a8af-29a8c2 call 261fa0 177->187 179->180 180->169 181 29a85f-29a872 call 261fa0 180->181 181->169 206 29a874-29a894 fputs call 262201 call 261fa0 181->206 182->183 192 29aaaf-29aaeb call 2843b3 call 261e40 call 29c104 call 29ad82 183->192 193 29a8fe-29a90a 183->193 187->182 211 29a8c4-29a8e4 fputs call 262201 call 261fa0 187->211 248 29ac0b-29ac1e call 292db9 * 2 192->248 249 29aaf1-29aaf7 192->249 202 29a910-29a91f 193->202 203 29aa73-29aa89 call 261fa0 193->203 202->203 208 29a925-29a929 202->208 203->192 218 29aa8b-29aaaa fputs call 262201 call 261fa0 203->218 206->169 208->192 216 29a92f-29a93d 208->216 211->176 222 29a96a-29a971 216->222 223 29a93f-29a964 fputs call 262201 call 261fa0 216->223 218->192 225 29a98f-29a9a8 fputs call 262201 222->225 226 29a973-29a97a 222->226 223->222 239 29a9ad-29a9bd call 261fa0 225->239 226->225 232 29a97c-29a982 226->232 232->225 237 29a984-29a98d 232->237 237->225 242 29aa06-29aa1f fputs call 262201 237->242 239->242 252 29a9bf-29aa01 fputs call 262201 call 261fa0 fputs call 262201 call 261fa0 239->252 250 29aa24-29aa29 call 261fa0 242->250 248->27 249->248 257 29aa2e-29aa4b fputs call 262201 250->257 252->242 262 29aa50-29aa5b call 261fa0 257->262 262->192 268 29aa5d-29aa71 call 261fa0 call 29710e 262->268 268->192
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$ExceptionThrow
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings: $`&2$p&2$N
                              • API String ID: 3665150552-2061563961
                              • Opcode ID: 4abfd8bc781b69bbf9571a6bdbfeda7a1d5151597107bb0130a376fd91478c49
                              • Instruction ID: d681d93e5c8b5d7e60974d822684a59caab42e460f4976960dd44458338fcfd0
                              • Opcode Fuzzy Hash: 4abfd8bc781b69bbf9571a6bdbfeda7a1d5151597107bb0130a376fd91478c49
                              • Instruction Fuzzy Hash: 11528D30D20259DFCF26EBA4C895BEDBBB5BF44304F14409AE449A7291DB706EA8CF51
                              Function 0029A42C Relevance: 60.0, APIs: 15, Strings: 19, Instructions: 503COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 274 29a42c-29a433 275 29a449-29a4df call 29545d call 262e04 call 281858 call 261e40 274->275 276 29a435-29a444 fputs call 261fa0 274->276 286 29a4ee-29a4f1 275->286 287 29a4e1-29a4e9 call 29c7d7 275->287 276->275 289 29a50e-29a520 call 29c73e 286->289 290 29a4f3-29a4fa 286->290 287->286 295 29ac0b-29ac2a call 292db9 * 2 289->295 296 29a526-29a544 call 261e0c 289->296 290->289 291 29a4fc-29a509 call 2957fb 290->291 291->289 306 29ac3a-29ac66 call 29b96d call 261e40 call 283247 295->306 307 29ac2c-29ac33 295->307 304 29a551 296->304 305 29a546-29a54f call 29b0fa 296->305 309 29a553-29a55c 304->309 305->309 327 29ac68-29ac6a 306->327 328 29ac6e-29acb5 call 261e40 call 2611c2 call 29be0c call 292db9 306->328 307->306 310 29ac35 call 29b988 307->310 313 29a55e-29a560 309->313 314 29a564-29a5c1 call 262fec call 29b277 309->314 310->306 313->314 324 29a5cd-29a652 call 29ad06 call 29bf3e call 273a29 call 262e04 call 284345 314->324 325 29a5c3-29a5c7 314->325 348 29a654-29a671 call 28375c call 29b96d 324->348 349 29a676-29a6d6 call 282096 324->349 325->324 327->328 348->349 355 29a6d8-29a6dd call 29c7d7 349->355 356 29a6e2-29a6e5 349->356 355->356 358 29a72e-29a73a 356->358 359 29a6e7-29a6ee 356->359 360 29a73c-29a74a call 261fa0 358->360 361 29a79e-29a7aa 358->361 362 29a6f0-29a71d call 261fa0 fputs call 261fa0 call 261fb3 call 261fa0 359->362 363 29a722-29a725 359->363 375 29a74c-29a753 360->375 376 29a755-29a799 fputs call 262201 call 261fa0 fputs call 262201 call 261fa0 360->376 364 29a7d9-29a7e5 361->364 365 29a7ac-29a7b2 361->365 362->363 363->358 366 29a727 363->366 371 29a818-29a81a 364->371 372 29a7e7-29a7ed 364->372 365->364 369 29a7b4-29a7d4 fputs call 262201 call 261fa0 365->369 366->358 369->364 377 29a899-29a8a5 371->377 380 29a81c-29a82b 371->380 372->377 378 29a7f3-29a813 fputs call 262201 call 261fa0 372->378 375->361 375->376 376->361 384 29a8e9-29a8ed 377->384 385 29a8a7-29a8ad 377->385 378->371 387 29a82d-29a84c fputs call 262201 call 261fa0 380->387 388 29a851-29a85d 380->388 390 29a8ef 384->390 391 29a8f6-29a8f8 384->391 385->390 395 29a8af-29a8c2 call 261fa0 385->395 387->388 388->377 389 29a85f-29a872 call 261fa0 388->389 389->377 414 29a874-29a894 fputs call 262201 call 261fa0 389->414 390->391 400 29aaaf-29aaeb call 2843b3 call 261e40 call 29c104 call 29ad82 391->400 401 29a8fe-29a90a 391->401 395->390 419 29a8c4-29a8e4 fputs call 262201 call 261fa0 395->419 400->295 456 29aaf1-29aaf7 400->456 410 29a910-29a91f 401->410 411 29aa73-29aa89 call 261fa0 401->411 410->411 416 29a925-29a929 410->416 411->400 426 29aa8b-29aaaa fputs call 262201 call 261fa0 411->426 414->377 416->400 424 29a92f-29a93d 416->424 419->384 430 29a96a-29a971 424->430 431 29a93f-29a964 fputs call 262201 call 261fa0 424->431 426->400 433 29a98f-29a9a8 fputs call 262201 430->433 434 29a973-29a97a 430->434 431->430 447 29a9ad-29a9bd call 261fa0 433->447 434->433 440 29a97c-29a982 434->440 440->433 445 29a984-29a98d 440->445 445->433 450 29aa06-29aa4b fputs call 262201 call 261fa0 fputs call 262201 445->450 447->450 458 29a9bf-29aa01 fputs call 262201 call 261fa0 fputs call 262201 call 261fa0 447->458 466 29aa50-29aa5b call 261fa0 450->466 456->295 458->450 466->400 472 29aa5d-29aa71 call 261fa0 call 29710e 466->472 472->400
                              APIs
                              • fputs.MSVCRT(Scanning the drive for archives:), ref: 0029A43E
                                • Part of subcall function 00261FA0: fputc.MSVCRT ref: 00261FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings: $`&2$p&2$!"$N
                              • API String ID: 269475090-1410049377
                              • Opcode ID: 3ac9f53327e1212c2bddaa54edb086cd0527337a9389c71a20f150b71a013e5d
                              • Instruction ID: 635c7a583240327be181b66ba00ddcb40e1bf252d44ee5d6cda1340ef2dcd60e
                              • Opcode Fuzzy Hash: 3ac9f53327e1212c2bddaa54edb086cd0527337a9389c71a20f150b71a013e5d
                              • Instruction Fuzzy Hash: 12228031920259DFDF2AEBA4C856BDDFBB5BF44300F14409AE449A3291DB706EA4CF51
                              Function 0029993D Relevance: 47.8, APIs: 16, Strings: 11, Instructions: 569COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 478 29993d-299950 call 29b5b1 481 299963-29997e call 271f33 478->481 482 299952-29995e call 261fb3 478->482 486 29998f-299998 481->486 487 299980-29998a 481->487 482->481 488 2999a8 486->488 489 29999a-2999a6 486->489 487->486 490 2999ab-2999b5 488->490 489->488 489->490 491 2999d5-299a04 call 261e0c call 29acb6 490->491 492 2999b7-2999cc GetStdHandle GetConsoleScreenBufferInfo 490->492 500 299a0c-299a24 call 287b48 491->500 501 299a06-299a08 491->501 492->491 493 2999ce-2999d2 492->493 493->491 503 299a29-299a48 call 29b96d call 287018 call 271aa4 500->503 501->500 510 299a4a-299a4c 503->510 511 299a7c-299aa8 call 28ddb5 503->511 512 299a4e-299a55 510->512 513 299a66-299a77 _CxxThrowException 510->513 518 299aaa-299abb _CxxThrowException 511->518 519 299ac0-299ade 511->519 512->513 515 299a57-299a64 call 271ac8 512->515 513->511 515->511 515->513 518->519 520 299b3a-299b55 519->520 521 299ae0-299b04 call 287dd7 519->521 526 299b5c-299ba4 call 261fa0 fputs call 261fa0 strlen * 2 520->526 527 299b57 520->527 528 299bfa-299c0b _CxxThrowException 521->528 529 299b0a-299b0e 521->529 539 299baa-299be4 fputs fputc 526->539 540 299e25-299e4d call 261fa0 fputs call 261fa0 526->540 527->526 532 299c10 528->532 529->528 531 299b14-299b38 call 29c077 call 261e40 529->531 531->520 531->521 535 299c12-299c25 532->535 543 299c27-299c33 535->543 544 299be6-299bf0 535->544 539->543 539->544 554 299f0c-299f34 call 261fa0 fputs call 261fa0 540->554 555 299e53 540->555 552 299c81-299cb1 call 29b67d call 262e04 543->552 553 299c35-299c3d 543->553 544->532 547 299bf2-299bf8 544->547 547->535 591 299d10-299d28 call 29b67d 552->591 592 299cb3-299cb7 552->592 556 299c6b-299c80 call 2621d8 553->556 557 299c3f-299c4a 553->557 578 299f3a 554->578 579 29ac23-29ac2a 554->579 560 299e5a-299e6f call 29b650 555->560 556->552 562 299c4c-299c52 557->562 563 299c54 557->563 575 299e7b-299e7e call 2621d8 560->575 576 299e71-299e79 560->576 564 299c56-299c69 562->564 563->564 564->556 564->557 581 299e83-299f06 call 29bde4 fputs call 261fa0 575->581 576->581 582 299f41-299f9d call 29b650 call 29b5e9 call 29bde4 fputs call 261fa0 578->582 583 29ac3a-29ac66 call 29b96d call 261e40 call 283247 579->583 584 29ac2c-29ac33 579->584 581->554 581->560 659 299f9f 582->659 616 29ac68-29ac6a 583->616 617 29ac6e-29acb5 call 261e40 call 2611c2 call 29be0c call 292db9 583->617 584->583 589 29ac35 call 29b988 584->589 589->583 618 299d4b-299d53 591->618 619 299d2a-299d4a fputs call 2621d8 591->619 597 299cb9-299cbc call 26315e 592->597 598 299cc1-299cdd call 2631e5 592->598 597->598 611 299cdf-299d00 call 263221 call 2631e5 call 261089 598->611 612 299d05-299d0e 598->612 611->612 612->591 612->592 616->617 624 299d59-299d5d 618->624 625 299dff-299e1f call 261fa0 call 261e40 618->625 619->618 631 299d5f-299d6d fputs 624->631 632 299d6e-299d82 624->632 625->539 625->540 631->632 641 299df0-299df9 632->641 642 299d84-299d88 632->642 641->624 641->625 648 299d8a-299d94 642->648 649 299d95-299d9f 642->649 648->649 650 299da1-299da3 649->650 651 299da5-299db1 649->651 650->651 656 299dd8-299dee 650->656 657 299db8 651->657 658 299db3-299db6 651->658 656->641 656->642 663 299dbb-299dce 657->663 658->663 659->579 670 299dd0-299dd3 663->670 671 299dd5 663->671 670->656 671->656
                              APIs
                                • Part of subcall function 0029B5B1: fputs.MSVCRT ref: 0029B5CA
                                • Part of subcall function 0029B5B1: fputs.MSVCRT ref: 0029B5E1
                              • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,?,?), ref: 002999BD
                              • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?), ref: 002999C4
                              • _CxxThrowException.MSVCRT(?,003155B8), ref: 00299A77
                              • _CxxThrowException.MSVCRT(?,003155B8), ref: 00299ABB
                                • Part of subcall function 00261FB3: __EH_prolog.LIBCMT ref: 00261FB8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs$BufferConsoleH_prologHandleInfoScreen
                              • String ID: $ || $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$P$offset=$p&2$p&2$N
                              • API String ID: 377453556-863721827
                              • Opcode ID: bed09dfe607756339bf0a342d1601782b3aab4428c552064fc45193abf6a5ede
                              • Instruction ID: 0104c204b7042c39c68090d3e1c1364f3094e78c797be54b72e5ff5d8112eb19
                              • Opcode Fuzzy Hash: bed09dfe607756339bf0a342d1601782b3aab4428c552064fc45193abf6a5ede
                              • Instruction Fuzzy Hash: 58228C31910209DFDF15EFA8D885BEDBBB5EF48310F20005EE545AB292CB359AA5CF61
                              Function 00271ADE Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 288COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 672 271ade-271b14 call 2ffb10 call 2613f5 677 271b16-271b2d call 281d73 _CxxThrowException 672->677 678 271b32-271b8b _fileno _isatty _fileno _isatty _fileno _isatty 672->678 677->678 680 271b9d-271b9f 678->680 681 271b8d-271b91 678->681 682 271ba0-271bcd 680->682 681->680 684 271b93-271b97 681->684 685 271bcf-271bf8 call 271ea4 call 2627bb call 261e40 682->685 686 271bf9-271c12 682->686 684->680 687 271b99-271b9b 684->687 685->686 689 271c14-271c18 686->689 690 271c20 686->690 687->682 689->690 692 271c1a-271c1e 689->692 693 271c27-271c2b 690->693 692->690 692->693 695 271c34-271c3e 693->695 696 271c2d 693->696 697 271c40-271c43 695->697 698 271c49-271c53 695->698 696->695 697->698 700 271c55-271c58 698->700 701 271c5e-271c68 698->701 700->701 703 271c73-271c79 701->703 704 271c6a-271c6d 701->704 706 271c7b-271c87 703->706 707 271cc9-271cd2 703->707 704->703 710 271c95-271ca1 call 271ed1 706->710 711 271c89-271c93 706->711 708 271cd4-271ce6 707->708 709 271cea call 271eb9 707->709 708->709 714 271cef-271cf8 709->714 718 271ca3-271cbb call 281d73 _CxxThrowException 710->718 719 271cc0-271cc3 710->719 711->707 716 271d37-271d40 714->716 717 271cfa-271d0a 714->717 723 271d46-271d52 716->723 724 271e93-271ea1 716->724 720 271dc2-271dd4 wcscmp 717->720 721 271d10 717->721 718->719 719->707 726 271d17-271d1f call 269399 720->726 728 271dda-271de6 call 271ed1 720->728 721->726 723->724 725 271d58-271d93 call 2626dd call 26280c call 263221 call 263bbf 723->725 756 271d95-271d9c 725->756 757 271d9f-271da3 725->757 726->716 737 271d21-271d32 call 2e6a60 call 269313 726->737 728->726 735 271dec-271e04 call 281d73 _CxxThrowException 728->735 744 271e09-271e0c 735->744 737->716 747 271e31-271e4a call 271f0c GetCurrentProcess SetProcessAffinityMask 744->747 748 271e0e 744->748 761 271e83-271e92 call 263172 call 261e40 747->761 762 271e4c-271e82 GetLastError call 263221 call 2658a9 call 2631e5 call 261e40 747->762 751 271e14-271e2c call 281d73 _CxxThrowException 748->751 752 271e10-271e12 748->752 751->747 752->747 752->751 756->757 757->744 760 271da5-271dbd call 281d73 _CxxThrowException 757->760 760->720 761->724 762->761
                              APIs
                              • __EH_prolog.LIBCMT ref: 00271AE3
                                • Part of subcall function 002613F5: __EH_prolog.LIBCMT ref: 002613FA
                              • _CxxThrowException.MSVCRT(?,00316010), ref: 00271B2D
                              • _fileno.MSVCRT ref: 00271B3E
                              • _isatty.MSVCRT ref: 00271B47
                              • _fileno.MSVCRT ref: 00271B5D
                              • _isatty.MSVCRT ref: 00271B60
                              • _fileno.MSVCRT ref: 00271B73
                              • _CxxThrowException.MSVCRT(?,00316010), ref: 00271CBB
                              • _CxxThrowException.MSVCRT(?,00316010), ref: 00271DBD
                              • wcscmp.MSVCRT ref: 00271DCA
                              • _CxxThrowException.MSVCRT(?,00316010), ref: 00271E04
                              • _isatty.MSVCRT ref: 00271B76
                                • Part of subcall function 00281D73: __EH_prolog.LIBCMT ref: 00281D78
                              • _CxxThrowException.MSVCRT(?,00316010), ref: 00271E2C
                              • GetCurrentProcess.KERNEL32(00000000,00000000,?,Set process affinity mask: ,?), ref: 00271E3B
                              • SetProcessAffinityMask.KERNEL32(00000000), ref: 00271E42
                              • GetLastError.KERNEL32(?,Set process affinity mask: ,?), ref: 00271E4C
                              Strings
                              • Unsupported switch postfix for -slp, xrefs: 00271DF1
                              • Unsupported switch postfix -bb, xrefs: 00271CA8
                              • unsupported value -stm, xrefs: 00271E19
                              • : ERROR : , xrefs: 00271E52
                              • Set process affinity mask: , xrefs: 00271D74
                              • Unsupported switch postfix -stm, xrefs: 00271DAA
                              • SeLockMemoryPrivilege, xrefs: 00271D28
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prolog_fileno_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                              • String ID: : ERROR : $SeLockMemoryPrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp$unsupported value -stm
                              • API String ID: 1826148334-1115009270
                              • Opcode ID: abe17d34cee7aced6c54781ed9f8cafb6d36243aabddaa1b1622f219e49fb994
                              • Instruction ID: 3af959dd649ff4cffc4afbc43748562591b3ab6115b196c878074e7c71ff788a
                              • Opcode Fuzzy Hash: abe17d34cee7aced6c54781ed9f8cafb6d36243aabddaa1b1622f219e49fb994
                              • Instruction Fuzzy Hash: 68C1C0319212469FDB22DFB8C899BD9BBF4AF19304F04C499E48997292C774E9B4CF11
                              Function 00298012 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 240COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 777 298012-298032 call 2ffb10 780 298038-29806c fputs call 298341 777->780 781 298285 777->781 785 2980c8-2980cd 780->785 786 29806e-298071 780->786 783 298287-298295 781->783 787 2980cf-2980d4 785->787 788 2980d6-2980df 785->788 789 29808b-29808d 786->789 790 298073-298089 fputs call 261fa0 786->790 791 2980e2-298110 call 298341 call 298622 787->791 788->791 793 29808f-298094 789->793 794 298096-29809f 789->794 790->785 804 29811e-29812f call 298565 791->804 805 298112-298119 call 29831f 791->805 797 2980a2-2980c7 call 262e47 call 2985c6 call 261e40 793->797 794->797 797->785 804->783 812 298135-29813f 804->812 805->804 813 29814d-29815b 812->813 814 298141-298148 call 2982bb 812->814 813->783 817 298161-298164 813->817 814->813 818 2981b6-2981c0 817->818 819 298166-298186 817->819 820 298276-29827f 818->820 821 2981c6-2981e1 fputs 818->821 823 298298-29829d 819->823 824 29818c-298196 call 298565 819->824 820->780 820->781 821->820 828 2981e7-2981fb 821->828 826 2982b1-2982b9 SysFreeString 823->826 831 29819b-29819d 824->831 826->783 829 2981fd-29821f 828->829 830 298273 828->830 834 29829f-2982a1 829->834 835 298221-298245 829->835 830->820 831->823 832 2981a3-2981b4 SysFreeString 831->832 832->818 832->819 836 2982ae 834->836 838 2982a3-2982ab call 26965d 835->838 839 298247-298271 call 2984a7 call 26965d SysFreeString 835->839 836->826 838->836 839->829 839->830
                              APIs
                              • __EH_prolog.LIBCMT ref: 00298017
                              • fputs.MSVCRT ref: 0029804D
                                • Part of subcall function 00298341: __EH_prolog.LIBCMT ref: 00298346
                                • Part of subcall function 00298341: fputs.MSVCRT ref: 0029835B
                                • Part of subcall function 00298341: fputs.MSVCRT ref: 00298364
                              • fputs.MSVCRT ref: 0029807A
                                • Part of subcall function 00261FA0: fputc.MSVCRT ref: 00261FA7
                                • Part of subcall function 0026965D: VariantClear.OLEAUT32(?), ref: 0026967F
                              • SysFreeString.OLEAUT32(00000000), ref: 002981AA
                              • fputs.MSVCRT ref: 002981CD
                              • SysFreeString.OLEAUT32(00000000), ref: 00298267
                              • SysFreeString.OLEAUT32(00000000), ref: 002982B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$FreeString$H_prolog$ClearVariantfputc
                              • String ID: --$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2889736305-3797937567
                              • Opcode ID: 92855a091fbcf7ba15685976e9bb15b8a77c2342c5f40565e3571f6831be3d97
                              • Instruction ID: 02d52689a318874ec8fa046a6e64df6ef73ca3b0f5c07745000d77fd71426cfa
                              • Opcode Fuzzy Hash: 92855a091fbcf7ba15685976e9bb15b8a77c2342c5f40565e3571f6831be3d97
                              • Instruction Fuzzy Hash: 87918831A20609EFDF15DFA4C991AAEB7B5FF49310F28412DE502E7290DB70AD15CB60
                              Function 00296766 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 135COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 846 296766-296792 call 2ffb10 EnterCriticalSection 849 2967af-2967b7 846->849 850 296794-296799 call 29c7d7 846->850 851 2967b9 call 261f91 849->851 852 2967be-2967c3 849->852 854 29679e-2967ac 850->854 851->852 856 2967c9-2967d5 852->856 857 296892-2968a8 852->857 854->849 858 296817-29682f 856->858 859 2967d7-2967dd 856->859 860 2968ae-2968b4 857->860 861 296941 857->861 864 296831-296842 call 261fa0 858->864 865 296873-29687b 858->865 859->858 862 2967df-2967eb 859->862 860->861 863 2968ba-2968c2 860->863 866 296943-29695a 861->866 869 2967ed 862->869 870 2967f3-296801 862->870 868 296933-29693f call 29c5cd 863->868 871 2968c4-2968e6 call 261fa0 fputs 863->871 864->865 883 296844-29686c fputs call 262201 864->883 867 296881-296887 865->867 865->868 867->868 873 29688d 867->873 868->866 869->870 870->865 875 296803-296815 fputs 870->875 887 2968e8-2968f9 fputs 871->887 888 2968fb-296917 call 274f2a call 261fb3 call 261e40 871->888 879 29692e call 261f91 873->879 881 29686e call 261fa0 875->881 879->868 881->865 883->881 890 29691c-296928 call 261fa0 887->890 888->890 890->879
                              APIs
                              • __EH_prolog.LIBCMT ref: 0029676B
                              • EnterCriticalSection.KERNEL32(00322938), ref: 00296781
                              • fputs.MSVCRT ref: 0029680B
                              • LeaveCriticalSection.KERNEL32(00322938), ref: 00296944
                                • Part of subcall function 0029C7D7: fputs.MSVCRT ref: 0029C840
                              • fputs.MSVCRT ref: 00296851
                                • Part of subcall function 00262201: fputs.MSVCRT ref: 0026221E
                              • fputs.MSVCRT ref: 002968D9
                              • fputs.MSVCRT ref: 002968F6
                                • Part of subcall function 00261FA0: fputc.MSVCRT ref: 00261FA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterH_prologLeavefputc
                              • String ID: v$8)2$8)2$Sub items Errors:
                              • API String ID: 2670240366-1316320651
                              • Opcode ID: 6c7c3a7bc173f486ee01bf01c1334318842cfeca8a501ec441c092bedcab42de
                              • Instruction ID: 3e2d89004238888978273a59cd23a8974edb5d2c8a892eaf87a74e82f466da8a
                              • Opcode Fuzzy Hash: 6c7c3a7bc173f486ee01bf01c1334318842cfeca8a501ec441c092bedcab42de
                              • Instruction Fuzzy Hash: B1519D31521701DFDB259F64D8A8AEAB7E2FF84310F54492EE19A87661CB307CA8CF50
                              Function 00296359 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 252COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 898 296359-296373 call 2ffb10 901 29639e-2963af call 295a4d 898->901 902 296375-296385 call 29c7d7 898->902 908 2965ee-2965f1 901->908 909 2963b5-2963cd 901->909 902->901 907 296387-29639b 902->907 907->901 912 2965f3-2965fb 908->912 913 296624-29663c 908->913 910 2963cf 909->910 911 2963d2-2963d4 909->911 910->911 918 2963df-2963e7 911->918 919 2963d6-2963d9 911->919 914 2966ea call 29c5cd 912->914 915 296601-296607 call 298012 912->915 916 29663e call 261f91 913->916 917 296643-29664b 913->917 927 2966ef-2966fd 914->927 928 29660c-29660e 915->928 916->917 917->914 923 296651-29668f fputs call 26211a call 261fa0 call 298685 917->923 924 2963e9-2963f2 call 261fa0 918->924 925 296411-296413 918->925 919->918 922 2964b1-2964bc call 296700 919->922 945 2964be-2964c1 922->945 946 2964c7-2964cf 922->946 923->927 980 296691-296697 923->980 924->925 950 2963f4-29640c call 26210c call 261fa0 924->950 929 296442-296446 925->929 930 296415-29641d 925->930 928->927 934 296614-29661f call 261fa0 928->934 938 296448-296450 929->938 939 296497-29649f 929->939 935 29642a-29643b 930->935 936 29641f-296425 call 296134 930->936 934->914 935->929 936->935 947 29647f-296490 938->947 948 296452-29647a fputs call 261fa0 call 261fb3 call 261fa0 938->948 939->922 942 2964a1-2964ac call 261fa0 call 261f91 939->942 942->922 945->946 953 2965a2-2965a6 945->953 954 2964f9-2964fb 946->954 955 2964d1-2964da call 261fa0 946->955 947->939 948->947 950->925 962 2965a8-2965b6 953->962 963 2965da-2965e6 953->963 959 29652a-29652e 954->959 960 2964fd-296505 954->960 955->954 985 2964dc-2964f4 call 26210c call 261fa0 955->985 973 29657f-296587 959->973 974 296530-296538 959->974 970 296512-296523 960->970 971 296507-29650d call 296134 960->971 975 2965b8-2965ca call 296244 962->975 976 2965d3 962->976 963->909 979 2965ec 963->979 970->959 971->970 973->953 987 296589-296595 call 261fa0 973->987 982 29653a-296562 fputs call 261fa0 call 261fb3 call 261fa0 974->982 983 296567-296578 974->983 975->976 999 2965cc-2965ce call 261f91 975->999 976->963 979->908 989 296699-29669f 980->989 990 2966df-2966e5 call 261f91 980->990 982->983 983->973 985->954 987->953 1002 296597-29659d call 261f91 987->1002 996 2966a1-2966b1 fputs 989->996 997 2966b3-2966ce call 274f2a call 261fb3 call 261e40 989->997 990->914 1003 2966d3-2966da call 261fa0 996->1003 997->1003 999->976 1002->953 1003->990
                              APIs
                              • __EH_prolog.LIBCMT ref: 0029635E
                              • fputs.MSVCRT ref: 0029645F
                                • Part of subcall function 0029C7D7: fputs.MSVCRT ref: 0029C840
                              • fputs.MSVCRT ref: 00296547
                              • fputs.MSVCRT ref: 0029665F
                              • fputs.MSVCRT ref: 002966AE
                                • Part of subcall function 00261F91: fflush.MSVCRT ref: 00261F93
                                • Part of subcall function 00261FB3: __EH_prolog.LIBCMT ref: 00261FB8
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog$fflushfree
                              • String ID: Can't allocate required memory$ERRORS:$WARNINGS:
                              • API String ID: 1750297421-1898165966
                              • Opcode ID: 8f76d4de9819d875f8a0b116a1c910786fc7c13971c87d4aefb859d5c57dcc60
                              • Instruction ID: 98c42a18897531c926dc8d37efa73502454f82f1326288983b04d47123916920
                              • Opcode Fuzzy Hash: 8f76d4de9819d875f8a0b116a1c910786fc7c13971c87d4aefb859d5c57dcc60
                              • Instruction Fuzzy Hash: AAB17B30621702CFDF25EF60C9A9BAAB7E1BF44304F04492DE55A97692CB74B8A4CF51
                              Function 00269C8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 47libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1016 269c8f-269cc2 GetModuleHandleA GetProcAddress 1017 269cc4-269ccc GlobalMemoryStatusEx 1016->1017 1018 269cef-269d06 GlobalMemoryStatus 1016->1018 1017->1018 1019 269cce-269cd7 1017->1019 1020 269d0b-269d0d 1018->1020 1021 269d08 1018->1021 1022 269ce5 1019->1022 1023 269cd9 1019->1023 1024 269d11-269d15 1020->1024 1021->1020 1027 269ce8-269ced 1022->1027 1025 269ce0-269ce3 1023->1025 1026 269cdb-269cde 1023->1026 1025->1027 1026->1022 1026->1025 1027->1024
                              APIs
                              • GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00269CB3
                              • GetProcAddress.KERNEL32(00000000), ref: 00269CBA
                              • GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00269CC8
                              • GlobalMemoryStatus.KERNEL32(?), ref: 00269CFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus$AddressHandleModuleProc
                              • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                              • API String ID: 180289352-802862622
                              • Opcode ID: 4e0456e889d7fa980e85c57a5e6ec14c90ecb1dd3fc4b2c0cd05559cdd3c84d2
                              • Instruction ID: c41d079e36893ed82f24ccd4d718cfc4f2aed1acd3d0e704fb16db39513c7ef8
                              • Opcode Fuzzy Hash: 4e0456e889d7fa980e85c57a5e6ec14c90ecb1dd3fc4b2c0cd05559cdd3c84d2
                              • Instruction Fuzzy Hash: 1A115B709212099FCF24DF94D899B9DB7FCBB08305F10051AD442E7280DB78A8C0CB94
                              Function 002AF1B2 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1028 2af1b2-2af1ce call 2ffb10 call 271168 1032 2af1d3-2af1d5 1028->1032 1033 2af36a-2af378 1032->1033 1034 2af1db-2af1e4 call 2af3e4 1032->1034 1037 2af1ed-2af1f2 1034->1037 1038 2af1e6-2af1e8 1034->1038 1039 2af203-2af21a 1037->1039 1040 2af1f4-2af1f9 1037->1040 1038->1033 1043 2af21c-2af22c _CxxThrowException 1039->1043 1044 2af231-2af248 memcpy 1039->1044 1040->1039 1041 2af1fb-2af1fe 1040->1041 1041->1033 1043->1044 1045 2af24c-2af257 1044->1045 1046 2af259 1045->1046 1047 2af25c-2af25e 1045->1047 1046->1047 1048 2af260-2af26f 1047->1048 1049 2af281-2af299 1047->1049 1050 2af279-2af27b 1048->1050 1051 2af271 1048->1051 1057 2af29b-2af2a0 1049->1057 1058 2af311-2af313 1049->1058 1050->1049 1055 2af315-2af318 1050->1055 1053 2af273-2af275 1051->1053 1054 2af277 1051->1054 1053->1050 1053->1054 1054->1050 1056 2af357-2af368 1055->1056 1056->1033 1057->1055 1059 2af2a2-2af2b5 call 2af37b 1057->1059 1058->1056 1063 2af2f0-2af30c memmove 1059->1063 1064 2af2b7-2af2cf call 2fe1a0 1059->1064 1063->1045 1067 2af31a-2af355 memcpy 1064->1067 1068 2af2d1-2af2eb call 2af37b 1064->1068 1067->1056 1068->1064 1072 2af2ed 1068->1072 1072->1063
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: C1$C1
                              • API String ID: 3519838083-2218672710
                              • Opcode ID: 74bd0cd5ce780b15545c4d8a558c7cf81606fe60cd947dae98f5018ff7f6a0be
                              • Instruction ID: 9d9e68f542891283664bdcb94342ec6fb14024fc8a85155f1daf095fdca02448
                              • Opcode Fuzzy Hash: 74bd0cd5ce780b15545c4d8a558c7cf81606fe60cd947dae98f5018ff7f6a0be
                              • Instruction Fuzzy Hash: 0551A375A103069FDF50DFE4C980BBEB3B5FF89354F148429E901AB241DB78AD158B60
                              Function 002FFF3A Relevance: 10.6, APIs: 7, Instructions: 57COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__p___initenv__p__commode__p__fmode__set_app_type
                              • String ID:
                              • API String ID: 4012487245-0
                              • Opcode ID: ae2b99e69e2e43ffb04711b6b9ecff3d007655dc66f9cc83dd987a149a3cfe18
                              • Instruction ID: 4d507beff21825c89d6f9d1bc89a6eb50ea4c607a60e45c37ef5b202878fb4ed
                              • Opcode Fuzzy Hash: ae2b99e69e2e43ffb04711b6b9ecff3d007655dc66f9cc83dd987a149a3cfe18
                              • Instruction Fuzzy Hash: 28214775911208AFCB2ADFA4DC55BAEBB78FB09720F00421AF611A22E1C7745545CB20
                              Function 002FFFB1 Relevance: 10.5, APIs: 7, Instructions: 43COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: _initterm$FilterXcpt__getmainargs__p___initenv__setusermatherr_controlfpexit
                              • String ID:
                              • API String ID: 279829931-0
                              • Opcode ID: accbe8ba2c7b0aef99d8ba0b1b722cce52be62c116d5c04c3b03fee98c18c23a
                              • Instruction ID: 1be259aa6c55cb6fde62d1308685da4ed107dd72e37b907e318004a7cd6a8a2e
                              • Opcode Fuzzy Hash: accbe8ba2c7b0aef99d8ba0b1b722cce52be62c116d5c04c3b03fee98c18c23a
                              • Instruction Fuzzy Hash: FF010CB6D11208EFDB0A9BE0DC55DEEB779FB0C710F10411AF502B62A1DA759940CB20
                              Function 00281858 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • __EH_prolog.LIBCMT ref: 0028185D
                                • Part of subcall function 0028021A: __EH_prolog.LIBCMT ref: 0028021F
                                • Part of subcall function 0028062E: __EH_prolog.LIBCMT ref: 00280633
                              • _CxxThrowException.MSVCRT(?,00316010), ref: 00281961
                                • Part of subcall function 00281AA5: __EH_prolog.LIBCMT ref: 00281AAA
                              Strings
                              • Duplicate archive path:, xrefs: 00281A8D
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID: Duplicate archive path:
                              • API String ID: 2366012087-4000988232
                              • Opcode ID: 8fa3f8dc61deefed88a7bc2733f11d7350fca29206c00f2c4618f479c67b4b76
                              • Instruction ID: 117aab3d62e7ec8f8309682647bc5b7444c0adb445b54c7d7a7c75f025baf361
                              • Opcode Fuzzy Hash: 8fa3f8dc61deefed88a7bc2733f11d7350fca29206c00f2c4618f479c67b4b76
                              • Instruction Fuzzy Hash: E8816835D11259DFCF15EFA4D892ADDBBB5AF18310F1040A9E416B32A2DB30AE65CF60
                              Function 00266C72 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 398COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1563 266c72-266c8e call 2ffb10 1566 266c96-266c9e 1563->1566 1567 266c90-266c94 1563->1567 1569 266ca6-266cae 1566->1569 1570 266ca0-266ca4 1566->1570 1567->1566 1568 266cd3-266cdc call 268664 1567->1568 1576 266d87-266d92 call 2688c6 1568->1576 1577 266ce2-266d02 call 2667f0 call 262f88 call 2687df 1568->1577 1569->1568 1571 266cb0-266cb5 1569->1571 1570->1568 1570->1569 1571->1568 1573 266cb7-266cce call 2667f0 call 262f88 1571->1573 1590 26715d-26715f 1573->1590 1585 266f4c-266f62 call 2687fa 1576->1585 1586 266d98-266d9e 1576->1586 1601 266d04-266d09 1577->1601 1602 266d4a-266d61 call 267b41 1577->1602 1598 266f67-266f74 call 2685e2 1585->1598 1599 266f64-266f66 1585->1599 1586->1585 1589 266da4-266dc7 call 262e47 * 2 1586->1589 1612 266dd4-266dda 1589->1612 1613 266dc9-266dcf 1589->1613 1593 267118-267126 1590->1593 1608 266f76-266f7c 1598->1608 1609 266fd1-266fd8 1598->1609 1599->1598 1601->1602 1605 266d0b-266d38 call 269252 1601->1605 1618 266d67-266d6b 1602->1618 1619 266d63-266d65 1602->1619 1605->1602 1628 266d3a-266d45 1605->1628 1608->1609 1616 266f7e-266f8a call 266bf5 1608->1616 1614 266fe4-266feb 1609->1614 1615 266fda-266fde 1609->1615 1620 266df1-266df9 call 263221 1612->1620 1621 266ddc-266def call 262407 1612->1621 1613->1612 1625 26701d-267024 call 268782 1614->1625 1626 266fed-266ff7 call 266bf5 1614->1626 1615->1614 1623 2670e5-2670ea call 266868 1615->1623 1616->1623 1642 266f90-266f93 1616->1642 1630 266d6d-266d75 1618->1630 1631 266d78 1618->1631 1629 266d7a-266d82 call 26764c 1619->1629 1634 266dfe-266e0b call 2687df 1620->1634 1621->1620 1621->1634 1644 2670ef-2670f3 1623->1644 1625->1623 1649 26702a-267035 1625->1649 1626->1623 1647 266ffd-267000 1626->1647 1628->1590 1645 267116 1629->1645 1630->1631 1631->1629 1654 266e43-266e50 call 266c72 1634->1654 1655 266e0d-266e10 1634->1655 1642->1623 1648 266f99-266fb6 call 2667f0 call 262f88 1642->1648 1650 2670f5-2670f7 1644->1650 1651 26710c 1644->1651 1645->1593 1647->1623 1656 267006-26701b call 2667f0 1647->1656 1684 266fc2-266fc5 call 26717b 1648->1684 1685 266fb8-266fbd 1648->1685 1649->1623 1658 26703b-267044 call 268578 1649->1658 1650->1651 1652 2670f9-267102 1650->1652 1653 26710e-267111 call 266848 1651->1653 1652->1651 1660 267104-267107 call 26717b 1652->1660 1653->1645 1675 266e56 1654->1675 1676 266f3a-266f4b call 261e40 * 2 1654->1676 1663 266e12-266e15 1655->1663 1664 266e1e-266e36 call 2667f0 1655->1664 1677 266fca-266fcc 1656->1677 1658->1623 1674 26704a-267054 call 26717b 1658->1674 1660->1651 1663->1654 1670 266e17-266e1c 1663->1670 1681 266e58-266e7e call 262f1c call 262e04 1664->1681 1683 266e38-266e41 call 262fec 1664->1683 1670->1654 1670->1664 1691 267056-26705f call 262f88 1674->1691 1692 267064-267097 call 262e47 call 261089 * 2 call 266868 1674->1692 1675->1681 1676->1585 1677->1653 1701 266e83-266e99 call 266bb5 1681->1701 1683->1681 1684->1677 1685->1684 1703 267155-267158 call 266848 1691->1703 1722 2670bf-2670cc call 266bf5 1692->1722 1723 267099-2670af wcscmp 1692->1723 1709 266ecf-266ed1 1701->1709 1710 266e9b-266e9f 1701->1710 1703->1590 1712 266f09-266f35 call 261e40 * 2 call 266848 call 261e40 * 2 1709->1712 1713 266ec7-266ec9 SetLastError 1710->1713 1714 266ea1-266eae call 2622bf 1710->1714 1712->1645 1713->1709 1725 266ed3-266ed9 1714->1725 1726 266eb0-266ec5 call 261e40 call 262e04 1714->1726 1742 2670ce-2670d1 1722->1742 1743 267129-267133 call 2667f0 1722->1743 1729 2670b1-2670b6 1723->1729 1730 2670bb 1723->1730 1732 266eec-266f07 call 2631e5 1725->1732 1733 266edb-266ee0 1725->1733 1726->1701 1736 267147-267154 call 262f88 call 261e40 1729->1736 1730->1722 1732->1712 1733->1732 1738 266ee2-266ee8 1733->1738 1736->1703 1738->1732 1749 2670d3-2670d6 1742->1749 1750 2670d8-2670e4 call 261e40 1742->1750 1759 267135-267138 1743->1759 1760 26713a 1743->1760 1749->1743 1749->1750 1750->1623 1762 267141-267144 1759->1762 1760->1762 1762->1736
                              APIs
                              • __EH_prolog.LIBCMT ref: 00266C77
                              • SetLastError.KERNEL32(00000002,-00000050,0000000F,-00000038,:$DATA,?,00000000,?), ref: 00266EC9
                                • Part of subcall function 00266C72: wcscmp.MSVCRT ref: 002670A5
                                • Part of subcall function 00266BF5: __EH_prolog.LIBCMT ref: 00266BFA
                                • Part of subcall function 00266BF5: GetFileAttributesW.KERNEL32(?,?,?,00000000,?), ref: 00266C1A
                                • Part of subcall function 00266BF5: GetFileAttributesW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00266C49
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFileH_prolog$ErrorLastwcscmp
                              • String ID: :$DATA
                              • API String ID: 3316598575-2587938151
                              • Opcode ID: 37104d2be5d14388baa663db24072a13e4bb6ca9f0b95a7f5e20f2ee9ad4c71d
                              • Instruction ID: 906e50a9170a3393aa23f05815ad27d116c31b19e8c05106b8f7b5afd546ff79
                              • Opcode Fuzzy Hash: 37104d2be5d14388baa663db24072a13e4bb6ca9f0b95a7f5e20f2ee9ad4c71d
                              • Instruction Fuzzy Hash: B4E1453092020ADACF25EFA4D899BEEB7B1FF15318F104119E846672D1DB71A9E9CF50
                              Function 00276FC5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00276FCA
                                • Part of subcall function 00276E71: __EH_prolog.LIBCMT ref: 00276E76
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                              • API String ID: 3519838083-394804653
                              • Opcode ID: 6a1654f70597fbcd07c6cefe7b00b7347adf57c1d023b47c2d86dfa0d495c8ff
                              • Instruction ID: 12699a8d78af45cde70f57f0a7dbcd88f3917c7571ab1f08eeb4841676f63390
                              • Opcode Fuzzy Hash: 6a1654f70597fbcd07c6cefe7b00b7347adf57c1d023b47c2d86dfa0d495c8ff
                              • Instruction Fuzzy Hash: B641E7329292459BCF31DFA4C4509EEFBF5AF59300F58846ED08EA3201C6706E64CBA1
                              Function 002984A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: c20e36b6d137635878f97e7b6f38f3d708eb4a8c1d3b763ce9dff1c6c9bc2ae0
                              • Instruction ID: 24943aa7b9e1d7e86176149a2127f39e7403a303295db82ccd8d33e31aeddb67
                              • Opcode Fuzzy Hash: c20e36b6d137635878f97e7b6f38f3d708eb4a8c1d3b763ce9dff1c6c9bc2ae0
                              • Instruction Fuzzy Hash: 4B216032925118EBCF0AEB94D952BEDBBB5EF58310F25002AE40172191DF726EA5CF91
                              Function 002ABDB5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002ABDBA
                                • Part of subcall function 002ABE69: __EH_prolog.LIBCMT ref: 002ABE6E
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$00$D0
                              • API String ID: 3519838083-3280946535
                              • Opcode ID: 6b4f77a0598b373c5afd716aa68f56e1d711e13d1c864a9ccb98a6a8d1e067b2
                              • Instruction ID: 78b87e47fbae9ef829c973ee19e94af3497f5daaeed689bcacd363dc58ccf3d6
                              • Opcode Fuzzy Hash: 6b4f77a0598b373c5afd716aa68f56e1d711e13d1c864a9ccb98a6a8d1e067b2
                              • Instruction Fuzzy Hash: CC11E6B5501744CFC326DF69C5986C6FBE4BF19304F50C96ED0AA47752D7B0A548CB50
                              Function 00298341 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00298346
                              • fputs.MSVCRT ref: 0029835B
                              • fputs.MSVCRT ref: 00298364
                                • Part of subcall function 002983BF: __EH_prolog.LIBCMT ref: 002983C4
                                • Part of subcall function 002983BF: fputs.MSVCRT ref: 00298401
                                • Part of subcall function 002983BF: fputs.MSVCRT ref: 00298437
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$H_prolog
                              • String ID: =
                              • API String ID: 2614055831-2525689732
                              • Opcode ID: 0b920a7ed1433f82fcf45222acb0fee1df733818c7feb1a4af28e4efadc68c25
                              • Instruction ID: 9f74cabb8bcb1ef5dc55a85cd1cc818132eeb1b16790ffebf19ee08f0815a102
                              • Opcode Fuzzy Hash: 0b920a7ed1433f82fcf45222acb0fee1df733818c7feb1a4af28e4efadc68c25
                              • Instruction Fuzzy Hash: 12016231A20108EBCF16BBA4D812AEDBB75AF84750F04406AF401922A1CF755AA5DFD5
                              Function 002F7DA0 Relevance: 6.0, APIs: 4, Instructions: 38synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00000000,0027AB57), ref: 002F7DAA
                              • GetLastError.KERNEL32(?,00000000,0027AB57), ref: 002F7DBB
                              • CloseHandle.KERNELBASE(00000000,?,00000000,0027AB57), ref: 002F7DCF
                              • GetLastError.KERNEL32(?,00000000,0027AB57), ref: 002F7DD9
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                              • String ID:
                              • API String ID: 1796208289-0
                              • Opcode ID: 6c6e1fd89104c558669d84e8f01f6822c0994418513011241402a5a8a9377d01
                              • Instruction ID: 11e89c6e5f8064405063fa8a9170441767bb77ebf4a5bf5ae83269d383b5730f
                              • Opcode Fuzzy Hash: 6c6e1fd89104c558669d84e8f01f6822c0994418513011241402a5a8a9377d01
                              • Instruction Fuzzy Hash: ABF0FE7132920B47EB215FBD9C84B76A69CAF553F4B600776E661D21D0DBA0CC508620
                              Function 00295883 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(00322938), ref: 0029588B
                              • LeaveCriticalSection.KERNEL32(00322938), ref: 002958BC
                                • Part of subcall function 0029C911: GetTickCount.KERNEL32 ref: 0029C926
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$CountEnterLeaveTick
                              • String ID: v$8)2
                              • API String ID: 1056156058-3293438690
                              • Opcode ID: 0593a197d6dfde6718f7276fbbecd71a4783cf3cd9325cb7f77f068b8c6b3edc
                              • Instruction ID: 4f242f3a691f57ae560e11a2def2971228623c33c28a709cd5ee2af52b43b3ce
                              • Opcode Fuzzy Hash: 0593a197d6dfde6718f7276fbbecd71a4783cf3cd9325cb7f77f068b8c6b3edc
                              • Instruction Fuzzy Hash: CFE06579626220EFC705DF18E808E9A37A9AF98311F02056EF00587362CB30C888CBA1
                              Function 00282096 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 722COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0028209B
                                • Part of subcall function 0026757D: GetLastError.KERNEL32(0026D14C), ref: 0026757D
                                • Part of subcall function 00282C6C: __EH_prolog.LIBCMT ref: 00282C71
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 683690243-1569138187
                              • Opcode ID: c66acf375c14dc67e6874e8ea773aed962aafb9298d5cad9ccb6d84188fd208a
                              • Instruction ID: 47604d277d3e897ffe90ac6ce5c6c1002b61b36b5aa46ed1443664ecd23b4dba
                              • Opcode Fuzzy Hash: c66acf375c14dc67e6874e8ea773aed962aafb9298d5cad9ccb6d84188fd208a
                              • Instruction Fuzzy Hash: 53726A74D11259DFCB25EF68C884BDDBBB5BF58300F14809AE859A7292C770AEA4CF50
                              Function 0029C911 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CountTickfputs
                              • String ID: .
                              • API String ID: 290905099-4150638102
                              • Opcode ID: 13f9e416cd72d8d3e62cea3c7d014498b57e8a9c95d3d79bd7aa7e3fc4d3d04e
                              • Instruction ID: 0c2f84a053aa70520a85eadbdd778f1b29a4759f587bca7fc5603028bf5af053
                              • Opcode Fuzzy Hash: 13f9e416cd72d8d3e62cea3c7d014498b57e8a9c95d3d79bd7aa7e3fc4d3d04e
                              • Instruction Fuzzy Hash: BD715830620B059FDF25EF64C991AAEB7F6BF81304F60481DE08797A81DB70B999CB11
                              Function 002A08B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00269C8F: GetModuleHandleA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx), ref: 00269CB3
                                • Part of subcall function 00269C8F: GetProcAddress.KERNEL32(00000000), ref: 00269CBA
                                • Part of subcall function 00269C8F: GlobalMemoryStatusEx.KERNELBASE(00000040), ref: 00269CC8
                              • __aulldiv.LIBCMT ref: 002A093F
                              • __aulldiv.LIBCMT ref: 002A094B
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: __aulldiv$AddressGlobalHandleMemoryModuleProcStatus
                              • String ID: 3333
                              • API String ID: 3520896023-2924271548
                              • Opcode ID: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction ID: 9bd71a1e8e4ce3ea37625e1377e0580a61910ccbffa88effda1795604bd97f76
                              • Opcode Fuzzy Hash: aa80bea9d6c22138b4e28b4c2bf2419a07f06abe99e39d7f84be716b64eca7ac
                              • Instruction Fuzzy Hash: 3421A8B19107096FE730DF698881A6FFAFDEF85B50F00892EA186D3241DA70A9548B55
                              Function 0028A7C5 Relevance: 5.1, APIs: 2, Strings: 1, Instructions: 606COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              • memset.MSVCRT ref: 0028AEBA
                              • memset.MSVCRT ref: 0028AECD
                                • Part of subcall function 002A04D2: _CxxThrowException.MSVCRT(?,00314A58), ref: 002A04F8
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: memset$ExceptionThrowfree
                              • String ID: Split
                              • API String ID: 1404239998-1882502421
                              • Opcode ID: e6e04ddd5951343bbcfd90971538c54aba07253c31e4c1932172e58b4f038020
                              • Instruction ID: 775797fb02262e8b554abdeb0961b9fa9da5fd3c4752e496b6b8d5d41da3ab3b
                              • Opcode Fuzzy Hash: e6e04ddd5951343bbcfd90971538c54aba07253c31e4c1932172e58b4f038020
                              • Instruction Fuzzy Hash: 27428E34A15249DFEF25EFA4C884BEDB7B1BF19304F14409AE449A7291CB71ADA1CF11
                              Function 0026759A Relevance: 4.6, APIs: 3, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0026759F
                                • Part of subcall function 0026764C: CloseHandle.KERNELBASE(00000000,?,002675AF,00000002,?,00000000,00000000), ref: 00267657
                              • CreateFileW.KERNELBASE(00000000,00000000,?,00000000,00000002,00000000,00000000,?,00000000,00000002,?,00000000,00000000), ref: 002675E5
                              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,00000000,?,00000000,00000002), ref: 00267626
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CreateFile$CloseH_prologHandle
                              • String ID:
                              • API String ID: 449569272-0
                              • Opcode ID: d99c57bcca5007a1822b44b5fc80bf23bdc8312a555d9c12f4e026216ddc4460
                              • Instruction ID: 6b3f0cc7af2dee914242cf28a5a8867b8742c7617b3a2992030055fd218695bc
                              • Opcode Fuzzy Hash: d99c57bcca5007a1822b44b5fc80bf23bdc8312a555d9c12f4e026216ddc4460
                              • Instruction Fuzzy Hash: 8B11847281010AEFCF119FA4DC418EEBB7AFF14368B108629F961561A1C7719DB5DF50
                              Function 002983BF Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00298437
                              • fputs.MSVCRT ref: 00298401
                                • Part of subcall function 00261FB3: __EH_prolog.LIBCMT ref: 00261FB8
                              • __EH_prolog.LIBCMT ref: 002983C4
                                • Part of subcall function 00261FA0: fputc.MSVCRT ref: 00261FA7
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs$fputc
                              • String ID:
                              • API String ID: 678540050-0
                              • Opcode ID: 780a096789fd042b0bae23f3e45e7667bf7c9f35ebc41d0b5de1c7a9819ab6f2
                              • Instruction ID: 914eb608df2ee9384bc3cc59d22a390e306932018132f9129ae6863a703fcb60
                              • Opcode Fuzzy Hash: 780a096789fd042b0bae23f3e45e7667bf7c9f35ebc41d0b5de1c7a9819ab6f2
                              • Instruction Fuzzy Hash: B6118631E242159BCF0AB7A0D8235AEBB75DF44750F14002AF501926E1DF6569B58ED4
                              Function 00267731 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000002,?,00000000,?,00000002,00000002,?,00000002,?,002677DB,?,?,00000000,?,00267832,?), ref: 00267773
                              • GetLastError.KERNEL32(?,002677DB,?,?,00000000,?,00267832,?,?,?,?,00000000), ref: 00267780
                              • SetLastError.KERNEL32(00000000,?,?,002677DB,?,?,00000000,?,00267832,?,?,?,?,00000000), ref: 00267797
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$FilePointer
                              • String ID:
                              • API String ID: 1156039329-0
                              • Opcode ID: 4d443f7bb1a650fc5a84858a2bb1c42ffc3d54a26c7465ac517d0fcefc6e05a7
                              • Instruction ID: c3ac85b5bb29b148aebb92564a9bd5ab1e76a1dab68c9de824999e734d28a695
                              • Opcode Fuzzy Hash: 4d443f7bb1a650fc5a84858a2bb1c42ffc3d54a26c7465ac517d0fcefc6e05a7
                              • Instruction Fuzzy Hash: 16110430210305AFEF16CF68DC45BAE77E5AF04324F108529F81287291D7B09D60DB50
                              Function 00265A8C Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00265A91
                              • SetFileAttributesW.KERNELBASE(?,?,?,?,00000000), ref: 00265AB7
                              • SetFileAttributesW.KERNEL32(?,?,00000000,?,?,00000000), ref: 00265AEC
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AttributesFile$H_prolog
                              • String ID:
                              • API String ID: 3790360811-0
                              • Opcode ID: c39811462bdedb85ab9dcc88f0861db3d820146f7142d72bc6c706a7791043f8
                              • Instruction ID: d769d34ba384d4f999e8a4f8cda4b369e5a3a41f6ce13c734453be6f7c144bab
                              • Opcode Fuzzy Hash: c39811462bdedb85ab9dcc88f0861db3d820146f7142d72bc6c706a7791043f8
                              • Instruction Fuzzy Hash: 5201D232D20226ABCF05AFA0D8916BEB779FF54350F144526EC11A3291CB768C71DA50
                              Function 00275BEA Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 481COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00275BEF
                                • Part of subcall function 002754C0: __EH_prolog.LIBCMT ref: 002754C5
                                • Part of subcall function 00275630: __EH_prolog.LIBCMT ref: 00275635
                                • Part of subcall function 002836EA: __EH_prolog.LIBCMT ref: 002836EF
                                • Part of subcall function 002757C1: __EH_prolog.LIBCMT ref: 002757C6
                                • Part of subcall function 002758BE: __EH_prolog.LIBCMT ref: 002758C3
                              Strings
                              • Cannot seek to begin of file, xrefs: 0027610F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: Cannot seek to begin of file
                              • API String ID: 3519838083-2298593816
                              • Opcode ID: 01bc8b52746cdd806ed636663e968754fa73547ac21e8c29f34c5c9fe9394f07
                              • Instruction ID: 4ab1ed5a9e34d20c61612b97159086805944af292d6c1c30f03018519fa96273
                              • Opcode Fuzzy Hash: 01bc8b52746cdd806ed636663e968754fa73547ac21e8c29f34c5c9fe9394f07
                              • Instruction Fuzzy Hash: C1120630924A469FDF25DFA4C489BEEBBF5AF05304F14805DE44E57292CBB0ADA4CB51
                              Function 002A4E8A Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 468COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002A4E8F
                                • Part of subcall function 0026965D: VariantClear.OLEAUT32(?), ref: 0026967F
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ClearH_prologVariantfree
                              • String ID: file
                              • API String ID: 904627215-2359244304
                              • Opcode ID: baac9d5b87516d898a8fd26807d32a8d119e800bf8f99d68bb63043a43cd35bd
                              • Instruction ID: 435ef5407f543bbe6aa57d5e531aca2a56d83fb11beb3e32940045d94bc3046c
                              • Opcode Fuzzy Hash: baac9d5b87516d898a8fd26807d32a8d119e800bf8f99d68bb63043a43cd35bd
                              • Instruction Fuzzy Hash: 45129130910609DFCF15EFA4C981ADEBBB6BF59344F244068E405AB252DB72AEA5CF50
                              Function 00282CDB Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 388COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00282CE0
                                • Part of subcall function 00265E10: __EH_prolog.LIBCMT ref: 00265E15
                                • Part of subcall function 002741EC: _CxxThrowException.MSVCRT(?,00314A58), ref: 0027421A
                                • Part of subcall function 0026965D: VariantClear.OLEAUT32(?), ref: 0026967F
                              Strings
                              • Cannot create output directory, xrefs: 00283070
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ClearExceptionThrowVariant
                              • String ID: Cannot create output directory
                              • API String ID: 814188403-1181934277
                              • Opcode ID: 1e8ebd2411f5ee74e9478592e86d8f2f2689b14e325aa342ee1f1318acd64960
                              • Instruction ID: f2d66171b997d419606969e59bb98115db9c3258db36b3598821e0b1777697a2
                              • Opcode Fuzzy Hash: 1e8ebd2411f5ee74e9478592e86d8f2f2689b14e325aa342ee1f1318acd64960
                              • Instruction Fuzzy Hash: 99F1D53492228ADFCF25EFA4C890AEDBBB5BF18300F14409DE44563291DB31AE69CF51
                              Function 0029C7D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 0029C840
                                • Part of subcall function 002625CB: _CxxThrowException.MSVCRT(?,00314A58), ref: 002625ED
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputs
                              • String ID:
                              • API String ID: 1334390793-399585960
                              • Opcode ID: 51b7fe223091602cb91800ff7dbfed6c0b1e9eef29622d1776ddb1b6b4fff18d
                              • Instruction ID: 4e28362fa5fed07d690b80cdac976111114e363c64fd8e576e609bb3f51eface
                              • Opcode Fuzzy Hash: 51b7fe223091602cb91800ff7dbfed6c0b1e9eef29622d1776ddb1b6b4fff18d
                              • Instruction Fuzzy Hash: 6B11DD71614740AFDB26CF58C8C1BAABBEAFF49304F14446EE1868B240C7B1B854CB60
                              Function 00296086 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Open
                              • API String ID: 1795875747-71445658
                              • Opcode ID: 2d36aacb0f178b584c2d6a3a890dc23f4dbb9d98be0131c21667ed3c06992f5b
                              • Instruction ID: 1943eb23aa7fe0f235ac3ba29add540c00672ef803193124025292eeb68d0712
                              • Opcode Fuzzy Hash: 2d36aacb0f178b584c2d6a3a890dc23f4dbb9d98be0131c21667ed3c06992f5b
                              • Instruction Fuzzy Hash: B411A032116704DFCB21EF34D995ADABBE5EF14310F50892EE19A83252DA71B864CF50
                              Function 002758BE Relevance: 3.3, APIs: 2, Instructions: 253COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002758C3
                                • Part of subcall function 00266C72: __EH_prolog.LIBCMT ref: 00266C77
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 05d1a32840222a4ed094cf51a32ae220ea18a52f7b4b4308bf26d8fabcd8f1c0
                              • Instruction ID: ea15a55398c9e87c0e705ff7af2cbca63bd8c33a155cf57eeb5a51420d89ce83
                              • Opcode Fuzzy Hash: 05d1a32840222a4ed094cf51a32ae220ea18a52f7b4b4308bf26d8fabcd8f1c0
                              • Instruction Fuzzy Hash: 8591F531920526DFCF21DFA4C891AFEFBB2EF44344F148069E54AA7251DBB15DA4CB90
                              Function 002B06AE Relevance: 3.2, APIs: 2, Instructions: 206COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002B06B3
                              • _CxxThrowException.MSVCRT(?,0031D480), ref: 002B08F2
                                • Part of subcall function 00261E0C: malloc.MSVCRT ref: 00261E1F
                                • Part of subcall function 00261E0C: _CxxThrowException.MSVCRT(?,00314B28), ref: 00261E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrow$H_prologmalloc
                              • String ID:
                              • API String ID: 3044594480-0
                              • Opcode ID: a505d002514a95831ba66fb6cb534bb4ac1669616abe564c1423b2c8fce8aa47
                              • Instruction ID: 6e68445c74d2b07c5fce53a74ca5f9ef91d6b2446d795fe890f836df17bf0448
                              • Opcode Fuzzy Hash: a505d002514a95831ba66fb6cb534bb4ac1669616abe564c1423b2c8fce8aa47
                              • Instruction Fuzzy Hash: 84914D71D10249DFCF22DFA8C891AEEBBB5BF19344F148099E445A7252CB30AE65CF61
                              Function 00277190 Relevance: 3.1, APIs: 2, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 74e9a81b85881fdfe7f91ccd14a257ee2cc9a66acc4813939d4307b482b9945f
                              • Instruction ID: 7ea561540dd8617d8f7d7bb0fe5749520a0bb666aba5dfd3341ca3644f48e563
                              • Opcode Fuzzy Hash: 74e9a81b85881fdfe7f91ccd14a257ee2cc9a66acc4813939d4307b482b9945f
                              • Instruction Fuzzy Hash: 3C518070518B419FDB26DF74C490AEABBF5BF45300F14C99DE8DA4B212D730A994DB50
                              Function 00287B48 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00287B4D
                              • memcpy.MSVCRT(00000000,003227DC,00000000,00000000,?,?,00000000,00000000,00000000,00000002), ref: 00287C65
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prologmemcpy
                              • String ID:
                              • API String ID: 2991061955-0
                              • Opcode ID: 59f1423c1dffd85603f9c7b7876bf7c76a2955c8e789db23412fc5a1b888abad
                              • Instruction ID: fc064b826cb724b1a6319604eb7494c856568b7fcbfc2061d6f7ba3ff294dcfa
                              • Opcode Fuzzy Hash: 59f1423c1dffd85603f9c7b7876bf7c76a2955c8e789db23412fc5a1b888abad
                              • Instruction Fuzzy Hash: 5F419D359252199BCF21EFA4C951AEEB7F4BF14304F204429E446A3292DB31EE29CF50
                              Function 002B1511 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002B1516
                                • Part of subcall function 002B10D3: __EH_prolog.LIBCMT ref: 002B10D8
                              • _CxxThrowException.MSVCRT(?,0031D480), ref: 002B1561
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: 8423bafd2e7fcadb6bf1bfb560d9c832828c42840aed0289504f9a589b438e9a
                              • Instruction ID: f9b867bc7d9980aec1e66d01633be865e2eebad48a66b41dfdfbc263869c4eaa
                              • Opcode Fuzzy Hash: 8423bafd2e7fcadb6bf1bfb560d9c832828c42840aed0289504f9a589b438e9a
                              • Instruction Fuzzy Hash: D201F232510249AEDF128F94C825BEF7FB8EF85394F44406AF4455A211C3B6A9718BA0
                              Function 002957FB Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00295800
                              • fputs.MSVCRT ref: 00295830
                                • Part of subcall function 00261FA0: fputc.MSVCRT ref: 00261FA7
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputcfputsfree
                              • String ID:
                              • API String ID: 195749403-0
                              • Opcode ID: 6c5894c5a68b16e6160666b2385625beedc85d2db17ae9a58d2146c86a2935d6
                              • Instruction ID: 3e76bca2950dabd0106fab969583cf6a584a8f97545a874cbafb06656793d585
                              • Opcode Fuzzy Hash: 6c5894c5a68b16e6160666b2385625beedc85d2db17ae9a58d2146c86a2935d6
                              • Instruction Fuzzy Hash: 11F05E32921514DBCB1AAF94E5127EEBBB5FF04350F00442AE501A25E1CB7469A5CF84
                              Function 0026950D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocStringLen.OLEAUT32(?,?), ref: 0026952C
                              • _CxxThrowException.MSVCRT(?,003155B8), ref: 0026954A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID:
                              • API String ID: 3773818493-0
                              • Opcode ID: 8721691e3a72fb71336f11d23686d44952229ae84de78eadc11486525512838b
                              • Instruction ID: cbf7bc31dad735d04d89927247d59a99986e040dd014a4e3f5d213d32693f64e
                              • Opcode Fuzzy Hash: 8721691e3a72fb71336f11d23686d44952229ae84de78eadc11486525512838b
                              • Instruction Fuzzy Hash: BFF06571220304AFC711EF94D855D86B7ECEF05780B40852AF905CB210EB70E8908B90
                              Function 0029B5B1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID:
                              • API String ID: 1185151155-0
                              • Opcode ID: 51557f1dc55cad8967c6df8b498c369114714c0b1a359c472cb74db945f90113
                              • Instruction ID: 5a63dc74384d386dbe943bcccc4278504cbb97c54f05958c0a3b2972f8671161
                              • Opcode Fuzzy Hash: 51557f1dc55cad8967c6df8b498c369114714c0b1a359c472cb74db945f90113
                              • Instruction Fuzzy Hash: 54E0C27B2191106FDA1B2B89BC8189437D9DBC936132A012FE640D32B0AF933C655EA4
                              Function 002F7E00 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast_beginthreadex
                              • String ID:
                              • API String ID: 4034172046-0
                              • Opcode ID: bf6623cb619efd05e9595f560c01aaeb073622c83737bfea86c33d0a1497fb21
                              • Instruction ID: b8eef751cf6a4cd58678c5694d2987271f94b70bf2ec3f4bd9db3a427871fb74
                              • Opcode Fuzzy Hash: bf6623cb619efd05e9595f560c01aaeb073622c83737bfea86c33d0a1497fb21
                              • Instruction Fuzzy Hash: 28E08CB22192026AE3109B608C02F77B69CABA0B80F40847EBA45C6180E6A0CD20C7A1
                              Function 00269C4D Relevance: 3.0, APIs: 2, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(?,?,00269C6E), ref: 00269C52
                              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00269C59
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: Process$AffinityCurrentMask
                              • String ID:
                              • API String ID: 1231390398-0
                              • Opcode ID: cb3d824927ea20f98b35139dc59962ee4c66149f8118aafa7e41114f02266ceb
                              • Instruction ID: 53c19a07b251f5dc90fb4a8622405d3f623e322c99ea2a6ae6af2fd7466fbb94
                              • Opcode Fuzzy Hash: cb3d824927ea20f98b35139dc59962ee4c66149f8118aafa7e41114f02266ceb
                              • Instruction Fuzzy Hash: A6B012B2421100FFCF019BB0DD6CC163B2CEA04301700D746F109C2050C636C445CB60
                              Function 0026B668 Relevance: 2.7, APIs: 2, Instructions: 222COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00040000,?), ref: 0026B843
                              • GetLastError.KERNEL32 ref: 0026B8AA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLastmemcpy
                              • String ID:
                              • API String ID: 2523627151-0
                              • Opcode ID: eff06b3ecfa59d237085b71544784124aad8c2b23f1872612666d0b195184b5a
                              • Instruction ID: 59148ab7f1fb62dc0dd5f8c765bc1fb87159fd44bb6f9ed604b9746b653576d2
                              • Opcode Fuzzy Hash: eff06b3ecfa59d237085b71544784124aad8c2b23f1872612666d0b195184b5a
                              • Instruction Fuzzy Hash: 0F814C35A207069FDB66CE25C980A6AB7FABF84314F14492EE846C7A50D730F8E1CF50
                              Function 00261E0C Relevance: 2.5, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 2436765578-0
                              • Opcode ID: be827f1b78c990dd611a7f1a6db1017d252c2291c573b9ac669eaed5f0007ec4
                              • Instruction ID: 3bc878fefecbf2019c90e40a6103eb7bf6d8d1e17a61823c0c73810eb500e594
                              • Opcode Fuzzy Hash: be827f1b78c990dd611a7f1a6db1017d252c2291c573b9ac669eaed5f0007ec4
                              • Instruction Fuzzy Hash: FDE0C23011424CAACF115FA0D814BD83F6C5F04399F04E025FD0C8E202C271D7F18B80
                              Function 002AB05D Relevance: 2.2, APIs: 1, Instructions: 653COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 00449f2bd390d1563bd58a5f72b6ee60a394fcfc1fa85da51d1b610b7357b03d
                              • Instruction ID: 1d8af6723a4061bc51cd9d816515fec13d35fb3d15cd3a5609b685eeafdda93c
                              • Opcode Fuzzy Hash: 00449f2bd390d1563bd58a5f72b6ee60a394fcfc1fa85da51d1b610b7357b03d
                              • Instruction Fuzzy Hash: 1F52933091024ADFDF12CFA8C594BADBBB5AF4A304F18409DE805AB292DB75DE55CF21
                              Function 00276305 Relevance: 1.9, APIs: 1, Instructions: 377COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 7f8b953733530c3919fbff1114dbdedf2c93279b0ec176e28c7f28cc36b153b6
                              • Instruction ID: b7223e65cfc7b9ae47d33a74d2c7ca21b7e755925dc7fa56bc19b484e12df70b
                              • Opcode Fuzzy Hash: 7f8b953733530c3919fbff1114dbdedf2c93279b0ec176e28c7f28cc36b153b6
                              • Instruction Fuzzy Hash: E2F1DF70524B86CFCF25CF64C498AAABBE1BF15304F98886ED48E8B611D731AD64DB11
                              Function 002B10D3 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 8e1cae64a31b67378a9d377f622d0d7a8486439979e40d9fc8608059ec15cab6
                              • Instruction ID: aff79537074c246861e3acd1cd5cea94a48c57853ed50b9f56730ee4ece5b0ba
                              • Opcode Fuzzy Hash: 8e1cae64a31b67378a9d377f622d0d7a8486439979e40d9fc8608059ec15cab6
                              • Instruction Fuzzy Hash: 43D1BC70A20746AFDF29CFA8C890BEEBBF1BF09340F50456DE45597651DB74A8A0CB90
                              Function 002ACF91 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002ACF96
                                • Part of subcall function 002B1511: __EH_prolog.LIBCMT ref: 002B1516
                                • Part of subcall function 002B1511: _CxxThrowException.MSVCRT(?,0031D480), ref: 002B1561
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrow
                              • String ID:
                              • API String ID: 2366012087-0
                              • Opcode ID: b18b6d179a57e9ad3b527d0061a9857a4bd0c17f255fabbd788c82401ae8b475
                              • Instruction ID: ef83c3ef50d5ef33fc66fbd1adc7ecd3a58511523ca24e824dfb31f72695633a
                              • Opcode Fuzzy Hash: b18b6d179a57e9ad3b527d0061a9857a4bd0c17f255fabbd788c82401ae8b475
                              • Instruction Fuzzy Hash: 1D51527191024ADFCB11CFA8C4C8B9EBBB4AF4A304F1444AEE45AD7242CB759E55DF21
                              Function 0029F784 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 74d7bdcfc67e187de19ad81a7d7eb535af274d309a4c9457b2eb702a56258fda
                              • Instruction ID: 05aeffe45863beb0fa5f0c8447e64d0d8f3808c24be76b520f5b8b6b70c7abbc
                              • Opcode Fuzzy Hash: 74d7bdcfc67e187de19ad81a7d7eb535af274d309a4c9457b2eb702a56258fda
                              • Instruction Fuzzy Hash: 88517B74A10606DFCF94CFA4C5809AAFBB2FF49340B10496DD592DB751D331A926CF90
                              Function 002AAD3A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: ef7bd64f63977c48f30500d39205fdce65bb4c34604e25942d1d5d06570aa692
                              • Instruction ID: 24ebf574e62d86a2e323065e8c2768042e2b23a950fb2127f4b9f19c760dfb76
                              • Opcode Fuzzy Hash: ef7bd64f63977c48f30500d39205fdce65bb4c34604e25942d1d5d06570aa692
                              • Instruction Fuzzy Hash: B841B170A20746EFDB24CF54C484B6ABBB0BF46310F148A6DD89697A91CB70ED91CB51
                              Function 00274250 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00274255
                                • Part of subcall function 0027440B: __EH_prolog.LIBCMT ref: 00274410
                                • Part of subcall function 00261E0C: malloc.MSVCRT ref: 00261E1F
                                • Part of subcall function 00261E0C: _CxxThrowException.MSVCRT(?,00314B28), ref: 00261E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 30324fd553bbcd846605f1ad691f5d41266036bb86226bd4c2b08bfb9633cb7f
                              • Instruction ID: 488c71a2dc82cdad5ad0ba94c4682b382dbc584644ebb212a322b8ee53ccba22
                              • Opcode Fuzzy Hash: 30324fd553bbcd846605f1ad691f5d41266036bb86226bd4c2b08bfb9633cb7f
                              • Instruction Fuzzy Hash: 5651D9B4402B84CFC326DFA9C19469AFBF0BF19304F9488AEC49E57652D7B1A618CF51
                              Function 0028D0E1 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0028D0E6
                                • Part of subcall function 00261E0C: malloc.MSVCRT ref: 00261E1F
                                • Part of subcall function 00261E0C: _CxxThrowException.MSVCRT(?,00314B28), ref: 00261E39
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ExceptionH_prologThrowmalloc
                              • String ID:
                              • API String ID: 3978722251-0
                              • Opcode ID: 364b605352a363ff708d870cc268757d359be31e3e62bc9f70933b4246c2b874
                              • Instruction ID: f4895b0f3cb9b293e76d22e22c66e265f3830955419ad3906fdbbb53ead06183
                              • Opcode Fuzzy Hash: 364b605352a363ff708d870cc268757d359be31e3e62bc9f70933b4246c2b874
                              • Instruction Fuzzy Hash: 1A41F675A212559FDB10EFA8C888BAEBBB4BF45310F244459E446E72C2CBB0DD64CB90
                              Function 00277FC5 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00277FCA
                                • Part of subcall function 0026950D: SysAllocStringLen.OLEAUT32(?,?), ref: 0026952C
                                • Part of subcall function 0026950D: _CxxThrowException.MSVCRT(?,003155B8), ref: 0026954A
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AllocExceptionH_prologStringThrow
                              • String ID:
                              • API String ID: 1940201546-0
                              • Opcode ID: beb24fe0f7f18778820a7ef3cddd78e890505869627a5c884f9d836022a42034
                              • Instruction ID: 0eb75a317ef79d21efc1976cac656228c4c82a41c110d483871780c8c4cc1ad4
                              • Opcode Fuzzy Hash: beb24fe0f7f18778820a7ef3cddd78e890505869627a5c884f9d836022a42034
                              • Instruction Fuzzy Hash: B531C37287014ACACF19AFA4C859DFE7774FF24310F408029E01AB7161EE759A68CB55
                              Function 0029ADB7 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0029ADBC
                                • Part of subcall function 0029AD29: __EH_prolog.LIBCMT ref: 0029AD2E
                                • Part of subcall function 0029AF2D: __EH_prolog.LIBCMT ref: 0029AF32
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 60b49a662a14d82548050f5370176eb9e142b5a2806e603eca2bd4e7c39ae6c4
                              • Instruction ID: 62f0abb95673a2c6e78f7e23d5ec30f28fb3d2eb61e60b995e8fd0d442994ea8
                              • Opcode Fuzzy Hash: 60b49a662a14d82548050f5370176eb9e142b5a2806e603eca2bd4e7c39ae6c4
                              • Instruction Fuzzy Hash: 7741B97144ABC0DEC326DF7881656C6FFE06F35204F94899EC4EA43B52D670A61CCB66
                              Function 0028062E Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 81958f12de16593e085acdcc7f1fd0f76ac7ea0c0e75e0f45ccbb4af5f6aac67
                              • Instruction ID: 6a5e2cf5dc754a20d50cd6264fa5e6a545c16ecc26b8f4eefd5d3775162ea864
                              • Opcode Fuzzy Hash: 81958f12de16593e085acdcc7f1fd0f76ac7ea0c0e75e0f45ccbb4af5f6aac67
                              • Instruction Fuzzy Hash: 63313E78D11219DFCB54EF95C8A18EEBBB8FF84364B20851DE42A67281D7309D25CFA0
                              Function 002898F2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002898F7
                                • Part of subcall function 00289987: __EH_prolog.LIBCMT ref: 0028998C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: 1369f154c997647bc8ac4c8458db302c48ebd5b2ed06269aa62420ae0df8d74a
                              • Instruction ID: f953b77484f3978bd03bf2e65c9c3745455ce619f7a91f8c15e8394971e97e5f
                              • Opcode Fuzzy Hash: 1369f154c997647bc8ac4c8458db302c48ebd5b2ed06269aa62420ae0df8d74a
                              • Instruction Fuzzy Hash: 17117F39611246AFDB14DF58C884AAAB3A9FF89350F18891CF952DB291CB31E860CB10
                              Function 0028021A Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0028021F
                                • Part of subcall function 00273D66: __EH_prolog.LIBCMT ref: 00273D6B
                                • Part of subcall function 00273D66: GetCurrentProcess.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273D7D
                                • Part of subcall function 00273D66: OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273D94
                                • Part of subcall function 00273D66: LookupPrivilegeValueW.ADVAPI32(00000000,SeSecurityPrivilege,?), ref: 00273DB6
                                • Part of subcall function 00273D66: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273DCB
                                • Part of subcall function 00273D66: GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273DD5
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prologProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 1532160333-0
                              • Opcode ID: 7400fca2642aaa3beaa06e7908ce44cc4092b8901a6a2385ae5f176ec5cb3968
                              • Instruction ID: a5fe8f0aa92a1fd88fcc8702531f208070d240679ff53a334bc3d59f06474ab8
                              • Opcode Fuzzy Hash: 7400fca2642aaa3beaa06e7908ce44cc4092b8901a6a2385ae5f176ec5cb3968
                              • Instruction Fuzzy Hash: ED2139B1946B90CFC361CF6A86D0686FFF4BB29604B94996EC0DA83B12C370A508CF55
                              Function 00281C6F Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00281C74
                                • Part of subcall function 00266C72: __EH_prolog.LIBCMT ref: 00266C77
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: ec01f1188f40ea51807bc7a7c3d6f17ea7814a6c4450a346e4bcb51c393c3edf
                              • Instruction ID: 55f6c9edab308942eab0ae8175bef7ce275226e6f3f8539988cc608c900cabf6
                              • Opcode Fuzzy Hash: ec01f1188f40ea51807bc7a7c3d6f17ea7814a6c4450a346e4bcb51c393c3edf
                              • Instruction Fuzzy Hash: BA11A175921604DBCF15FBD4C952BEDBB79AF18354F000029E842631D2CB625DBACF91
                              Function 00277E5A Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00277E5F
                                • Part of subcall function 00266C72: __EH_prolog.LIBCMT ref: 00266C77
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                                • Part of subcall function 0026757D: GetLastError.KERNEL32(0026D14C), ref: 0026757D
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ErrorLastfree
                              • String ID:
                              • API String ID: 683690243-0
                              • Opcode ID: 4931a8e14322feda88e6f62cdf87bc24cb9934541de236d42da25ce18197500b
                              • Instruction ID: 72d6c2d63f177540f8defc6e088ca47cad9ed526cbf92612eae4170ab62869d5
                              • Opcode Fuzzy Hash: 4931a8e14322feda88e6f62cdf87bc24cb9934541de236d42da25ce18197500b
                              • Instruction Fuzzy Hash: F30104326617009FC721EF74C4A29DFBBB1EF45310F10862EE88753692CA30A96CCE50
                              Function 002ABF8C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002ABF91
                                • Part of subcall function 002AD144: __EH_prolog.LIBCMT ref: 002AD149
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 62bfe53455ccb4a41e75b119734319d43ee75ed8cda32284111c8e1d608250f8
                              • Instruction ID: 52b304ec5247e726fb2bedbc3aa904d7f38f5428a532d24e8569f5d7f9e61785
                              • Opcode Fuzzy Hash: 62bfe53455ccb4a41e75b119734319d43ee75ed8cda32284111c8e1d608250f8
                              • Instruction Fuzzy Hash: 6C115E71521714DFC725EF64C906BCABBF4BF05344F108A2CA4A6A3591DBB1BA64CF80
                              Function 00267AB2 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNEL32(00000002,00000000,000000FF,00000000,00000000,80000000,00000000,?,00261AD1,00000000,00000002,00000002,?,00267B3E,?,00000000), ref: 00267AFD
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: 15461c8ab31b81d736eb8ce03c34caa7bb6fd8d2d577b5655e3328dfa922df22
                              • Instruction ID: a9644e819286f02f575cd3c3a1717aea612f491378088e2d7a0062b830f57c87
                              • Opcode Fuzzy Hash: 15461c8ab31b81d736eb8ce03c34caa7bb6fd8d2d577b5655e3328dfa922df22
                              • Instruction Fuzzy Hash: 1D01A230114289BFDF268F54DC05BEE3FA9AB05324F148249B9A6522E1C6B09EA0DB50
                              Function 0029ACF8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0029C0B8
                                • Part of subcall function 00287193: __EH_prolog.LIBCMT ref: 00287198
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 6f7bd8d0df94b7cac2cac2e54cd040e5f92fb14457a95ad96e9069da976bc8c8
                              • Instruction ID: 89cfacdc4c5c7b389c0af59d69aba49e5e0798f8c84831d3b74d8b21ef003b75
                              • Opcode Fuzzy Hash: 6f7bd8d0df94b7cac2cac2e54cd040e5f92fb14457a95ad96e9069da976bc8c8
                              • Instruction Fuzzy Hash: A1F0B472A21312DBDB269F59D8517AEF3A9EF58760F20002FE50597641CBB2EC708A90
                              Function 002A035F Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002A0364
                                • Part of subcall function 002A01C4: __EH_prolog.LIBCMT ref: 002A01C9
                                • Part of subcall function 002A0143: __EH_prolog.LIBCMT ref: 002A0148
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                                • Part of subcall function 002A03D8: __EH_prolog.LIBCMT ref: 002A03DD
                                • Part of subcall function 002A004A: __EH_prolog.LIBCMT ref: 002A004F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$free
                              • String ID:
                              • API String ID: 2654054672-0
                              • Opcode ID: 42c6254a1706e43785601ef69940cec8f10c09557435c0bcd265915a87ad4913
                              • Instruction ID: 3810b052e36e96227003115c13e06a4101dc88b27abc99233f8682a2b52490e6
                              • Opcode Fuzzy Hash: 42c6254a1706e43785601ef69940cec8f10c09557435c0bcd265915a87ad4913
                              • Instruction Fuzzy Hash: B7F0F430934B54DBCB1AEB68C4223DDBBE4AF05314F10469DE456632D2CFB56B248B44
                              Function 00298565 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: bda110778e8e2f457f21d7b253cff9fd018f9e1bfa939ed7e2c1a92ff773b3cf
                              • Instruction ID: c1962d2b72d7c9bf3e6f1658d7d0d2913bdf48b59b699891bd2111b61cdeab0b
                              • Opcode Fuzzy Hash: bda110778e8e2f457f21d7b253cff9fd018f9e1bfa939ed7e2c1a92ff773b3cf
                              • Instruction Fuzzy Hash: 6BF0C232E2111AEBCF00DF98C8408EFBB78FF48790B04806AF416E7250CB348A15CB90
                              Function 002A5505 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002A550A
                                • Part of subcall function 002A4E8A: __EH_prolog.LIBCMT ref: 002A4E8F
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: d8dbe34b6a2153474553063e70dd42fb0b8e0e83a07cdde0f37dbc5198b6830f
                              • Instruction ID: f291d30e27ebf852139bc3a4e16eef5428f72827864df3549462ae64cf0acba8
                              • Opcode Fuzzy Hash: d8dbe34b6a2153474553063e70dd42fb0b8e0e83a07cdde0f37dbc5198b6830f
                              • Instruction Fuzzy Hash: 30F06576A10915EBCB019F48D911A9E7BBAFF85364F104469F40157241DBB1DD208BA0
                              Function 00289987 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: dffa33e2b567e3683ceef748eb064d851089c13b437874e49fb3d8810b674d8b
                              • Instruction ID: 72d2f56e30ad359ff7d5c62424aa1f9587f408308a3ed00ec1276e78d3710fb2
                              • Opcode Fuzzy Hash: dffa33e2b567e3683ceef748eb064d851089c13b437874e49fb3d8810b674d8b
                              • Instruction Fuzzy Hash: A1E06D75610108EFC700EF98D855F9EB7A8EF49354F10845AF00A97241C7749910CA60
                              Function 002A5E2B Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002A5E30
                                • Part of subcall function 002A08B6: __aulldiv.LIBCMT ref: 002A093F
                                • Part of subcall function 0027DFC9: __EH_prolog.LIBCMT ref: 0027DFCE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$__aulldiv
                              • String ID:
                              • API String ID: 604474441-0
                              • Opcode ID: fb75db682e694cc8d7f790d0e317dda0d7233f50a7f94604b038c3e4d718ad8c
                              • Instruction ID: 8bfb02f61a23c9e9824809ec0a1d47b7e5f3453b8f16122bcc0f91c645ba14dc
                              • Opcode Fuzzy Hash: fb75db682e694cc8d7f790d0e317dda0d7233f50a7f94604b038c3e4d718ad8c
                              • Instruction Fuzzy Hash: B4E03970A217509FC755EBA8955129EB6F4BF09700F00486EE046D3B41EAB4A9108F84
                              Function 002A8ED1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002A8ED6
                                • Part of subcall function 002A9267: __EH_prolog.LIBCMT ref: 002A926C
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: f89a4b8f25027c9f131adf16377c033840a0c4d539428744c18fe1522822e4e7
                              • Instruction ID: 2a2d286c7d38ddd1fe7e0e6dca663a0a16bbecabdb5fcc00e63f9eb355626688
                              • Opcode Fuzzy Hash: f89a4b8f25027c9f131adf16377c033840a0c4d539428744c18fe1522822e4e7
                              • Instruction Fuzzy Hash: 30E092719205249ADB09EB64D522BEDB7A8EF05704F00066DA44392682CFB46A14CB81
                              Function 00267C68 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00267C8B
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: a937197f08527e4586a0eb6c7b7c599c763869d36bf3fa1c4636067990d77e84
                              • Instruction ID: 96bef9fda22d000e5651ecd7ccd640532343d7672448dbe7e0887db5ec07d013
                              • Opcode Fuzzy Hash: a937197f08527e4586a0eb6c7b7c599c763869d36bf3fa1c4636067990d77e84
                              • Instruction Fuzzy Hash: 20E01A75600209FBCF11CFA5D801B8E7BB9EB09758F20C16AF9199A260D739DA50DF54
                              Function 002ABE69 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002ABE6E
                                • Part of subcall function 002A5E2B: __EH_prolog.LIBCMT ref: 002A5E30
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: fcdcd494b5a250f4fb7a69b8e7705a17252dc95ffb3f78e97809df1cc17141d8
                              • Instruction ID: 2f9dee706db3d2c89f3612fe31dfb2227b3cf1ae9adf4cfb125a1319a972803d
                              • Opcode Fuzzy Hash: fcdcd494b5a250f4fb7a69b8e7705a17252dc95ffb3f78e97809df1cc17141d8
                              • Instruction Fuzzy Hash: 04E09272A34A608BD715EB24C421BDDF7A8BF05304F00846EE096D3282CFB46A14CBA1
                              Function 00262201 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: b984ccbca83e8198cc9b22f9fec73f8d07e3c28cb7e2faed338a8d741d10e880
                              • Instruction ID: 93e8d8596948e02b3aadbf105885b02330ec51727a62070e5409ce106c68613d
                              • Opcode Fuzzy Hash: b984ccbca83e8198cc9b22f9fec73f8d07e3c28cb7e2faed338a8d741d10e880
                              • Instruction Fuzzy Hash: 10D01232504119ABDF156B94DC05CDD77BCEF08354B04441BF541E2150EA75E5248B94
                              Function 0029F745 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0029F74A
                                • Part of subcall function 0029F784: __EH_prolog.LIBCMT ref: 0029F789
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID:
                              • API String ID: 3519838083-0
                              • Opcode ID: ea0eeab3c0522a2a234aecd47827fd8541de1848d4ddf009c3becbdf2da1b21e
                              • Instruction ID: 8dc25f86918dae90b7512907fbb506e8be61cc0923eb399b926da49a44268830
                              • Opcode Fuzzy Hash: ea0eeab3c0522a2a234aecd47827fd8541de1848d4ddf009c3becbdf2da1b21e
                              • Instruction Fuzzy Hash: 60D01275A21204BFEB149B85D952BEEF778EF44758F10052EF001A1241C3B559008AA4
                              Function 00267B4F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(00000002,?,?,00000000,00000000,00000002,?,0026785F,00000000,00004000,00000000,00000002,?,?,?), ref: 00267B65
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 2b42f6143b3d14276f237b31be46764178514ba0e2c95897f0089940224d4490
                              • Instruction ID: f3d5cca709312d841d0cae7063fb2c90f0b8e26c4e0457b6aae516676bb9440a
                              • Opcode Fuzzy Hash: 2b42f6143b3d14276f237b31be46764178514ba0e2c95897f0089940224d4490
                              • Instruction Fuzzy Hash: F2E0EC75201208FBDF05CF90CC01F8E7BBDAB49754F208159E905961A0C375AA54EB50
                              Function 002B80AA Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002B80AF
                                • Part of subcall function 00261E0C: malloc.MSVCRT ref: 00261E1F
                                • Part of subcall function 00261E0C: _CxxThrowException.MSVCRT(?,00314B28), ref: 00261E39
                                • Part of subcall function 002ABDB5: __EH_prolog.LIBCMT ref: 002ABDBA
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 3744649731-0
                              • Opcode ID: 2e0e838619993f5f985134c658ec38c4e06c51288176be7f82b5cb355dc20e38
                              • Instruction ID: 01eddeceb540d5f3652acb2dc7c99bbb009038946b67e55fb5481be56ad54e04
                              • Opcode Fuzzy Hash: 2e0e838619993f5f985134c658ec38c4e06c51288176be7f82b5cb355dc20e38
                              • Instruction Fuzzy Hash: 6BD05B71B115055FDB49FFB4942176E72A09B44344F00497DA416D3781EF709920CA10
                              Function 00266848 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • FindClose.KERNELBASE(00000000,?,00266880), ref: 00266853
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: e167fe55d8eba65ad804d0cacb737cedb523403f467e7f4b673e7a5054c06c8d
                              • Instruction ID: 3029be3610ed666c028cd70ed600bd69752bd19b13980a0cd79e9a51f17fe649
                              • Opcode Fuzzy Hash: e167fe55d8eba65ad804d0cacb737cedb523403f467e7f4b673e7a5054c06c8d
                              • Instruction Fuzzy Hash: 37D0123112422246CA686F3EB8489C633D86E4A3347311B9AF0B0C31E2E7608CDB9A90
                              Function 00262010 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: 4dcf971b60a960df47bac58d490b3e3f1c61d23842831c49f06865bf18f11090
                              • Instruction ID: 8f5ac599c9c12ecdc63b5ef6ec3ffa5a32a50407bd2c47547adc08c3eaac4efd
                              • Opcode Fuzzy Hash: 4dcf971b60a960df47bac58d490b3e3f1c61d23842831c49f06865bf18f11090
                              • Instruction Fuzzy Hash: 7DD0C73601C2519FD6155F05EC05C87BBA5FFD5320711081FF440511605B625865DA60
                              Function 00261FA0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID:
                              • API String ID: 1992160199-0
                              • Opcode ID: 1f052697941503c4ffa677fc841bdeb021e9a912e23bbdedfe9e8245d78b7201
                              • Instruction ID: 811735f762c5bfe5a3a0040a836d092fe5adf9a76c17db416102842d58dec533
                              • Opcode Fuzzy Hash: 1f052697941503c4ffa677fc841bdeb021e9a912e23bbdedfe9e8245d78b7201
                              • Instruction Fuzzy Hash: 80B092323192209BE6191B9CBC0AAC06798DB09732F21015BF544C21D09A911C814A95
                              Function 00267C3B Relevance: 1.5, APIs: 1, Instructions: 9timeCOMMON
                              Download Yara Rule
                              APIs
                              • SetFileTime.KERNELBASE(?,?,?,?,00267C65,00000000,00000000,?,0026F238,?,?,?,?), ref: 00267C49
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: c9422b1cbac5c92f390fced996289bc79b725169ed760ce9688fd532e17b2e82
                              • Instruction ID: 0e720b42c30f3ed9a158d29808d2ed84dbc51d14d51c51c07402427c7d10741f
                              • Opcode Fuzzy Hash: c9422b1cbac5c92f390fced996289bc79b725169ed760ce9688fd532e17b2e82
                              • Instruction Fuzzy Hash: 0FC04C36159105FFCF020F70CC04C1ABBA6ABA5711F10DA19F259C4070C7328024EB02
                              Function 00267D3C Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                              Download Yara Rule
                              APIs
                              • SetEndOfFile.KERNELBASE(?,00267D81,?,?,?), ref: 00267D3E
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: File
                              • String ID:
                              • API String ID: 749574446-0
                              • Opcode ID: 83b4c1a05c1a6aa486badb72980061c49cc81f939a9d007f84efd65a8c4b0283
                              • Instruction ID: f9fb8b90d3f68dadf92d7db88794224debe34b18fa6b3a0e83a86b287df2bdaf
                              • Opcode Fuzzy Hash: 83b4c1a05c1a6aa486badb72980061c49cc81f939a9d007f84efd65a8c4b0283
                              • Instruction Fuzzy Hash: 6DA002702F611B8FCF161F34DC198253AB5BB57707B6037A5B003CA4F5DF224419AA01
                              Function 0026C4D6 Relevance: 1.5, APIs: 1, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: 6e80feaad1be737f0c117428fbf42c08f16648a0acba3d1ee1de092d37bf7966
                              • Instruction ID: 2cd59575698e7940b05efe8883e3f0324480e8225ce3647e784c243b7a70afa6
                              • Opcode Fuzzy Hash: 6e80feaad1be737f0c117428fbf42c08f16648a0acba3d1ee1de092d37bf7966
                              • Instruction Fuzzy Hash: B3816071E2424A9FCF14EFA8C4C0ABDBBB5AF88314F24846AD552B7241D774AAD0CF54
                              Function 00273E04 Relevance: 1.3, APIs: 1, Instructions: 17COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,00000000,00273D8D,?,00000000,?,?,00000000,00000000,759A8E30), ref: 00273E12
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 4ae07cd4b8400943a190edc30060db2f001d8b5bfa038fa71451ee1a72a93dfd
                              • Instruction ID: 34a8b29c68a36079ffb8b6c46b0ab1137340396abb5302f25e56ccdeac0784b4
                              • Opcode Fuzzy Hash: 4ae07cd4b8400943a190edc30060db2f001d8b5bfa038fa71451ee1a72a93dfd
                              • Instruction Fuzzy Hash: 53D0123152522247DB749F2DF8047D663DD6F14321F15845AF884CB140E774CCD26A50
                              Function 002E6BC6 Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction ID: ab5d891d3162ddc6724bf5f975666f339828c6c9d5d7b4afe26e7fcbc12eced2
                              • Opcode Fuzzy Hash: f6689b844a0abd90852679766297054ea5ad023363036feb97c819a96c7c6895
                              • Instruction Fuzzy Hash: 0BD0237027314601CF484D314C0D7AB30851F6034EF58447CE813DB2C1F714C23A8144
                              Function 0026764C Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(00000000,?,002675AF,00000002,?,00000000,00000000), ref: 00267657
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: f93c89b6f83c6b596056aa625b2e3e04953fc318dc0f1b7d060f5a4626a57cdc
                              • Instruction ID: 1c84b507133e15cdc704354ffaf80602a9f920df3089ade11b4fd34776bb6158
                              • Opcode Fuzzy Hash: f93c89b6f83c6b596056aa625b2e3e04953fc318dc0f1b7d060f5a4626a57cdc
                              • Instruction Fuzzy Hash: 27D0123112962346CA641E3CB8459C233DC5A16338371175AF0B0C32F2D3A08CD34650
                              Function 002E6B23 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNELBASE(00000000), ref: 002E6B31
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: cf87cf23ed2d7b9ff9c41bc38bbc6156586a67392c5534586e0effd7b15c5adb
                              • Instruction ID: 09cfa3d60cf388b9a6303e50891f786187dfa44fbfcbe5442c3210745d7478cd
                              • Opcode Fuzzy Hash: cf87cf23ed2d7b9ff9c41bc38bbc6156586a67392c5534586e0effd7b15c5adb
                              • Instruction Fuzzy Hash: 9EC08CE1A4E280DFDF0213108C507603B208B83300F0A10C2E4045B093C2041808C722
                              Function 002E69D0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction ID: 4e46b4a927c53f6e799fa6b5e4b3a7360a17c5e41c276f4fcdafcb1e35060c51
                              • Opcode Fuzzy Hash: a1e9458a9ade6dcfe768eb88d97769c87549e2230f9edfc2c16aad58367e7da2
                              • Instruction Fuzzy Hash: D9A024C55310C101DD5C11313C05437100017703477C004FCF501C0303F715D1341005
                              Function 002E6AF0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: malloc
                              • String ID:
                              • API String ID: 2803490479-0
                              • Opcode ID: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction ID: ec488381d5a09b375595750c2620efd0b236cb51fd2a91f737b299e2bc19bfa7
                              • Opcode Fuzzy Hash: 3fa4672c4b6bd134d2e796e347ec7e9f7655e2c8d42b0b7908dcec06aed2b463
                              • Instruction Fuzzy Hash: CEA012CDE2004101DD4410363805433141226F06457D4C474A40040305FA14C0242002
                              Function 002E6BA3 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002E6BAC
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: beda4a606da3c7ff66d51f6e17adbb9053b1c89c56e34d10436f1dc8255cfaa3
                              • Instruction ID: 218668fd9d555308a700246797d12d9f439761f34bc2223d221923ba9a55460b
                              • Opcode Fuzzy Hash: beda4a606da3c7ff66d51f6e17adbb9053b1c89c56e34d10436f1dc8255cfaa3
                              • Instruction Fuzzy Hash: 43A002B8691700B7ED6167306D5FF5A37287780F05F3096457241690D15AE4B044DA5C
                              Function 002E69F0 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction ID: 92bc2658be1fb39a0c7d7d908bef3260b5aed24a35aab6d10657291cc2a295e1
                              • Opcode Fuzzy Hash: e2454b01198a5d00fc32ca08fa7a2be7c10d94ad4e9c325630ada15b60d1c1ce
                              • Instruction Fuzzy Hash:
                              Function 002E6B10 Relevance: 1.3, APIs: 1, Instructions: 4COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction ID: 01d828a2207f55d228c41f04fdab17115a933f4e9323311d14cd65c90a1bc579
                              • Opcode Fuzzy Hash: ab05dfddccdf54668762160c2768d01c6ed1f72808f71746a1287bea05698b8a
                              • Instruction Fuzzy Hash:
                              Function 00261E40 Relevance: 1.3, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 19b62e3fc1dc80bcc70ea23789113330de3eaa1dc7ad5bf0460402ced9aee3a9
                              • Instruction ID: c0a01b079c78b7c80242a9d6af363ac79a7ef346d67949cdfa09ae6fcc1ca6a4
                              • Opcode Fuzzy Hash: 19b62e3fc1dc80bcc70ea23789113330de3eaa1dc7ad5bf0460402ced9aee3a9
                              • Instruction Fuzzy Hash: F0A00271416101DBDA0A1B10ED194897B65EB85727F21555AF057504B28B314861BA01

                              Non-executed Functions

                              Function 00300090 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: Version
                              • String ID:
                              • API String ID: 1889659487-0
                              • Opcode ID: 6f4fc387ad9ebfc7ff83dff1820c9d71734190814cac902a00a938a25e8fe847
                              • Instruction ID: fed660be974fa879f9dd7160c16f986f477ca8b9b4d5f7fd88cbceab4d1a6796
                              • Opcode Fuzzy Hash: 6f4fc387ad9ebfc7ff83dff1820c9d71734190814cac902a00a938a25e8fe847
                              • Instruction Fuzzy Hash: CDD05BB692340547D70F772CC8267997765F760300FC90994D8A5C5193F97DC655C2D2
                              Function 0026C085 Relevance: 21.5, APIs: 17, Instructions: 290COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,003148A0,00000010), ref: 0026C09E
                              • memcmp.MSVCRT(?,00310258,00000010), ref: 0026C0BB
                              • memcmp.MSVCRT(?,00310348,00000010), ref: 0026C0CE
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: bb0be53f84173ed85ab4745d77cb3fb1ef69c4ce879bcd3e27ec18513f373d62
                              • Instruction ID: caa055577ec9b19001c42bf6cfbdef5cb6dfa950e9eec6796339a1a7639d3794
                              • Opcode Fuzzy Hash: bb0be53f84173ed85ab4745d77cb3fb1ef69c4ce879bcd3e27ec18513f373d62
                              • Instruction Fuzzy Hash: 7E91E772620715ABD764AE21CC45FFB73A8AF65750F108468FD9AD7200F760AEE4CB90
                              Function 002C447A Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: $16-bit overflow for number of files in headers$32-bit overflow in headers$Central$Local$Minor_Extra_ERROR$Missing volume : $Unsorted_CD$Zip64$apk
                              • API String ID: 3519838083-1909666238
                              • Opcode ID: 29b47ebfd2a9bd118a56b030400059a508d1a7a05cdda2b014768978e820b727
                              • Instruction ID: 629414e394cc696d87755bc704a60a28c9f2360af45b140e77ff68dc5cb8033c
                              • Opcode Fuzzy Hash: 29b47ebfd2a9bd118a56b030400059a508d1a7a05cdda2b014768978e820b727
                              • Instruction Fuzzy Hash: 77C1CE319306869FCB19EF64C865FFF7B71AB11300F5982ADE0495B162DB309EA9DB40
                              Function 002664F3 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 116threadCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002664F8
                              • GetCurrentThreadId.KERNEL32 ref: 00266508
                              • GetTickCount.KERNEL32 ref: 00266513
                              • GetCurrentProcessId.KERNEL32(?,?,00000000), ref: 0026651E
                              • GetTickCount.KERNEL32 ref: 00266578
                              • SetLastError.KERNEL32(000000B7,?,?,?,?,00000000), ref: 002665C5
                              • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 002665EC
                                • Part of subcall function 00265D7A: __EH_prolog.LIBCMT ref: 00265D7F
                                • Part of subcall function 00265D7A: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000001,?,?,00000000), ref: 00265DA1
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CountCurrentErrorH_prologLastTick$CreateDirectoryProcessThreadfree
                              • String ID: .tmp$d
                              • API String ID: 1989517917-2797371523
                              • Opcode ID: ee5e8447da40014425a0b35d05d8277d7464be3284eb1434a9c59c29e8b8dc99
                              • Instruction ID: dd94f5893147ce7639ba7a11128441bdbe816033147cfc0e00f2e9f9d9f5d8a4
                              • Opcode Fuzzy Hash: ee5e8447da40014425a0b35d05d8277d7464be3284eb1434a9c59c29e8b8dc99
                              • Instruction Fuzzy Hash: A941F032931125DBDF1AAFA0E85A7ECB775FF15314F14022AE402B71A1CB7989A4CF51
                              Function 00296244 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prologfputs
                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                              • API String ID: 1798449854-1259944392
                              • Opcode ID: 60be623656bc467f795a4c2ab4cfd9008fcae7beef2e8711344481e7fb0c4685
                              • Instruction ID: 7952d247d864c4ff58978a4e3334fdb8a8d4ec1e5dbe2bdac16e182211ce36d7
                              • Opcode Fuzzy Hash: 60be623656bc467f795a4c2ab4cfd9008fcae7beef2e8711344481e7fb0c4685
                              • Instruction Fuzzy Hash: 9A218331A10505DFCF15EBA4C562AAEB3B4EF54310F00007AE502D76E1CB71AD668F80
                              Function 0026A08C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0026A091
                                • Part of subcall function 00269BAA: RegCloseKey.ADVAPI32(?,?,00269BA0), ref: 00269BB6
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CloseH_prolog
                              • String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\0$Previous Update Revision$Update Revision$x86
                              • API String ID: 1579395594-270022386
                              • Opcode ID: 5018bf9f0f233d89ef0f008d415e3930951461d2439635cf1d1e5251312a0e74
                              • Instruction ID: e6c53fa9b63503fc0f51bd38db994a85b44661fed951333bb08e83006276ef23
                              • Opcode Fuzzy Hash: 5018bf9f0f233d89ef0f008d415e3930951461d2439635cf1d1e5251312a0e74
                              • Instruction Fuzzy Hash: B351B171A21209DFCB25EF98C892AAEB7B4BF59340F00446DE516B7281DB70AD94CF91
                              Function 002BC44E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002BC453
                                • Part of subcall function 002BC1DF: __EH_prolog.LIBCMT ref: 002BC1E4
                                • Part of subcall function 002BC543: __EH_prolog.LIBCMT ref: 002BC548
                                • Part of subcall function 00261E0C: malloc.MSVCRT ref: 00261E1F
                                • Part of subcall function 00261E0C: _CxxThrowException.MSVCRT(?,00314B28), ref: 00261E39
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$ExceptionThrowmalloc
                              • String ID: ((1$<(1$L(1$\(1
                              • API String ID: 3744649731-664152498
                              • Opcode ID: ec5c44aceb17ac084d79334ced3ac8f9b2afaed39d3552c754648a7b433a7517
                              • Instruction ID: 12f5bd3d9fe62694e2a031a12df08fd736021c2161b6dfd18a51420ca46c858e
                              • Opcode Fuzzy Hash: ec5c44aceb17ac084d79334ced3ac8f9b2afaed39d3552c754648a7b433a7517
                              • Instruction Fuzzy Hash: 21219AB4911B44CEC729DF6AC44869BFBF4EF98304F20891ED09697B51DBB0AA58CF50
                              Function 00296025 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0029602A
                              • EnterCriticalSection.KERNEL32(00322938), ref: 00296044
                              • LeaveCriticalSection.KERNEL32(00322938), ref: 00296060
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterH_prologLeave
                              • String ID: v$8)2
                              • API String ID: 367238759-3293438690
                              • Opcode ID: 5008cd44c659e70a4aa01f1f869034e7222403eb7ee54af2e2cb0e49e807f704
                              • Instruction ID: 8f3cf8fac1bc00457158ef734ba3facc3455d67f3308a2913fadd27f6d361bf2
                              • Opcode Fuzzy Hash: 5008cd44c659e70a4aa01f1f869034e7222403eb7ee54af2e2cb0e49e807f704
                              • Instruction Fuzzy Hash: 7AF09A36921114EFC702CF88D919EDEBBB8FF49350F10816AF401A7211C7B4DA04CBA0
                              Function 002C03D6 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 212COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 002C03F5
                              • memcpy.MSVCRT(?,?,00000008,00000064,?,?,?,?,00000064), ref: 002C0490
                              • memset.MSVCRT ref: 002C0618
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: memset$memcpy
                              • String ID: $@
                              • API String ID: 368790112-1077428164
                              • Opcode ID: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction ID: e010dd3bf5110da18831b89e98108500cee26465c07caf74f33fd51ed2b50945
                              • Opcode Fuzzy Hash: b087934bbc7c95f7ee7647cfdf8c5fba5a54d9d4edf4d7707c4dc34027eb37c2
                              • Instruction Fuzzy Hash: 2F91EF30910309EFEB20DF24C881FDAB7B5BF54304F14866DE59A56192DB70BAA9CF90
                              Function 0026613C Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00266141
                                • Part of subcall function 00266C72: __EH_prolog.LIBCMT ref: 00266C77
                              • SetLastError.KERNEL32(0000010B,00000000,00000000), ref: 00266197
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 0026626E
                              • SetLastError.KERNEL32(?,?,?,?,?,0000005C,?,00000000,00000000), ref: 002662A9
                                • Part of subcall function 00266096: __EH_prolog.LIBCMT ref: 0026609B
                                • Part of subcall function 00266096: DeleteFileW.KERNEL32(?,?,?,00000000), ref: 002660DF
                              • GetLastError.KERNEL32(?,?,?,0000005C,?,00000000,00000000), ref: 00266285
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ErrorLast$H_prolog$DeleteFile
                              • String ID:
                              • API String ID: 3586524497-0
                              • Opcode ID: cb25fc3782d3f64e0261d8c2df62d1611e1265f938c611c3dcb0de566825be62
                              • Instruction ID: b911ed41f285841d2dc5089bb4ad7a50badbf7e398243aa0ae0e14ff11f3a67b
                              • Opcode Fuzzy Hash: cb25fc3782d3f64e0261d8c2df62d1611e1265f938c611c3dcb0de566825be62
                              • Instruction Fuzzy Hash: 7F51E231C20219EADF15EFE4D859BEDBB74AF15340F104199E84173192CB356AA9CF50
                              Function 002744C2 Relevance: 7.6, APIs: 6, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,003148A0,00000010), ref: 002744DB
                              • memcmp.MSVCRT(?,00310128,00000010), ref: 002744EE
                              • memcmp.MSVCRT(?,00310228,00000010), ref: 0027450B
                              • memcmp.MSVCRT(?,00310248,00000010), ref: 00274528
                              • memcmp.MSVCRT(?,003101C8,00000010), ref: 00274545
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 0c834fa12d795ac15d321985ffabec58a9a47aa31f965bf2dbd5c8b1da8c4e37
                              • Instruction ID: 4d320ede18f762cefa6aee5d741a6bbb777e6a7ea5f4f4762e733028e0a868ee
                              • Opcode Fuzzy Hash: 0c834fa12d795ac15d321985ffabec58a9a47aa31f965bf2dbd5c8b1da8c4e37
                              • Instruction Fuzzy Hash: 092195727602096BE719DE20DC82FBE73AC9F647A4F04C535FE0A9A245F7B4DD608690
                              Function 002AC414 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 181COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: !$LZMA2:$LZMA:
                              • API String ID: 3519838083-3332058968
                              • Opcode ID: 1985562a0e8545525ca29fd8d70fa51666dfb06bab787b0a569dfe6dadcd76ff
                              • Instruction ID: 625b2f778f22a53218c3af28409d3ebb34bfbd3f5e2d146df5c8f643d7f2f148
                              • Opcode Fuzzy Hash: 1985562a0e8545525ca29fd8d70fa51666dfb06bab787b0a569dfe6dadcd76ff
                              • Instruction Fuzzy Hash: CE61F07092014ADFDB29CF64C559BFD7BA9AF5A700F3440B9E40667162CF70AEA0CB40
                              Function 0026A384 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0026A389
                                • Part of subcall function 0026A4C5: GetModuleHandleW.KERNEL32(ntdll.dll,?,0026A3C1,00000001), ref: 0026A4CD
                                • Part of subcall function 0026A4C5: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0026A4DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AddressH_prologHandleModuleProc
                              • String ID: : $ SP:$Windows
                              • API String ID: 786088110-3655538264
                              • Opcode ID: a9986ed6d26d8824893f2c0a8403c85b472a657c79e316f717814c5ada8e9e47
                              • Instruction ID: af841273c6778aced35d09e26e58919a6b63db4b9839e39cb2db25e117cde791
                              • Opcode Fuzzy Hash: a9986ed6d26d8824893f2c0a8403c85b472a657c79e316f717814c5ada8e9e47
                              • Instruction Fuzzy Hash: C4311A31C21519DACF1AEBA5CCA29EEBBB4BF58340F500069E502731D1DF715AE9CEA1
                              Function 0026A4C5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll,?,0026A3C1,00000001), ref: 0026A4CD
                              • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0026A4DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-1489217083
                              • Opcode ID: e6f5157c1e8673054d97985b7519ead5948a6cfff9601845bdf085acd905b984
                              • Instruction ID: c885c4ecd5b4072d7ee8846a71541c219e6f105897adcd321020091b2633d813
                              • Opcode Fuzzy Hash: e6f5157c1e8673054d97985b7519ead5948a6cfff9601845bdf085acd905b984
                              • Instruction Fuzzy Hash: 9FD0A7313362111AF6216BB93C1EBE7124C9B41B50B015613FC00D00C1EAC49DC204E1
                              Function 00280306 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,00000000,?), ref: 00280359
                              • GetLastError.KERNEL32(?,?,00000000,?), ref: 00280382
                              • GetFileSecurityW.ADVAPI32(?,00000007,?,?,00000000,?,?,?,00000000,?), ref: 002803DA
                              • GetLastError.KERNEL32(?,?,00000000,?,?,?,00000000,?), ref: 002803F0
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ErrorFileLastSecurity
                              • String ID:
                              • API String ID: 555121230-0
                              • Opcode ID: 93e67d57a665b3ed87920fee95a9c3d4ec43e15284e7e054a06d399f8f519699
                              • Instruction ID: b9caaa8bb9aa45122d401ed524e0b878073cc437afd48a044244a5ff9266832f
                              • Opcode Fuzzy Hash: 93e67d57a665b3ed87920fee95a9c3d4ec43e15284e7e054a06d399f8f519699
                              • Instruction Fuzzy Hash: 6231807491120AEFDB51EFA4C880BAEBBB5FF44304F108999E455E7290D770AE54DB50
                              Function 002682FB Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00268300
                              • GetFileInformationByHandle.KERNEL32(000000FF,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0026834F
                              • DeviceIoControl.KERNEL32(000000FF,000900A8,00000000,00000000,00000000,00004000,?,00000000), ref: 0026837C
                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000001,00000003,02200000,?,?,?), ref: 0026839B
                                • Part of subcall function 00261E40: free.MSVCRT ref: 00261E44
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: ControlDeviceFileH_prologHandleInformationfreememcpy
                              • String ID:
                              • API String ID: 1689166341-0
                              • Opcode ID: b124a871c7820ce20bbe2c414c0917d6ca2b9b708e253283b91554b702770eb4
                              • Instruction ID: 2ac4150c482b61bd6ffdf46ce2dbffcc14c40ac6a77b058520a2fd9665c18488
                              • Opcode Fuzzy Hash: b124a871c7820ce20bbe2c414c0917d6ca2b9b708e253283b91554b702770eb4
                              • Instruction Fuzzy Hash: 7021F572910248AFDF11DF94DC91AEEBBB9EF58740F14016EF905A3291CA324EA4CB60
                              Function 002A60D2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: BlockPackSize$BlockUnpackSize
                              • API String ID: 3519838083-5494122
                              • Opcode ID: f97592167426c981881a6ca33f27685e4f72155b7b68923374c4d7bbb4e344d8
                              • Instruction ID: 8136c1991b01cdfb634f81e1810583c3131d306cbea4858b8502b2e4b8890dd5
                              • Opcode Fuzzy Hash: f97592167426c981881a6ca33f27685e4f72155b7b68923374c4d7bbb4e344d8
                              • Instruction Fuzzy Hash: B851D3718202869FDF3A8FA488A9BFDBBA1AF27304F1C405ED89652191DF615DB8D701
                              Function 0026A4F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0026A4F8
                                • Part of subcall function 0026A384: __EH_prolog.LIBCMT ref: 0026A389
                                • Part of subcall function 00269E14: GetSystemInfo.KERNEL32(?), ref: 00269E36
                                • Part of subcall function 00269E14: GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 00269E50
                                • Part of subcall function 00269E14: GetProcAddress.KERNEL32(00000000), ref: 00269E57
                              • strcmp.MSVCRT ref: 0026A564
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog$AddressHandleInfoModuleProcSystemstrcmp
                              • String ID: -
                              • API String ID: 2798778560-3695764949
                              • Opcode ID: 022cf27a1b8ebccf08a3b81db1adb975ce06f716fc6b96ca8e5acad9b754ae98
                              • Instruction ID: de850bd8b0938dd8af000f8d613261dc7f9c5709f6ff3492014a31b9691a952f
                              • Opcode Fuzzy Hash: 022cf27a1b8ebccf08a3b81db1adb975ce06f716fc6b96ca8e5acad9b754ae98
                              • Instruction Fuzzy Hash: C7316931D2111ADBCF19FBE0D8529EDB7B5EF14710F50402AF40272191DB316AA9CE62
                              Function 00296184 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: 0$x
                              • API String ID: 3519838083-1948001322
                              • Opcode ID: ad4560e5918889b7208379fe12b1005c78fd6b5778a046c7fb5507c3e27b8912
                              • Instruction ID: 534a77a905bd5b2f5588044511d96d97fb365541853823bb046b998e70328e35
                              • Opcode Fuzzy Hash: ad4560e5918889b7208379fe12b1005c78fd6b5778a046c7fb5507c3e27b8912
                              • Instruction Fuzzy Hash: E9215E36D2111ADACF05EF98C9A5AEDB7B5FF48304F14042AE80177281DB755E58CFA0
                              Function 002C4034 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 002C4039
                                • Part of subcall function 002C40BA: __EH_prolog.LIBCMT ref: 002C40BF
                                • Part of subcall function 002A5E2B: __EH_prolog.LIBCMT ref: 002A5E30
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: H_prolog
                              • String ID: D.1$T.1
                              • API String ID: 3519838083-2465451127
                              • Opcode ID: fe082a5669f7dcb89e045639d3a35375df43262ba604f7dc886c80c755f4a8dd
                              • Instruction ID: cd8c57089d51b3cc96aa34ad839cce36638221532247a248a82e1b5eec578a1f
                              • Opcode Fuzzy Hash: fe082a5669f7dcb89e045639d3a35375df43262ba604f7dc886c80c755f4a8dd
                              • Instruction Fuzzy Hash: 76011AB5A117108FC769DF64C51569BBBF4EF08704F008D1E949A93741EBB0A658CF91
                              Function 002982DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: =
                              • API String ID: 1795875747-2525689732
                              • Opcode ID: 7977c2664d7e76bd0be6665092bd43139b1da2c4ef0852b324943fd1d973bd1e
                              • Instruction ID: da0930c599edb0ac192e4f1749f52cb06e1f6644480b00197df4fe227b9cecf2
                              • Opcode Fuzzy Hash: 7977c2664d7e76bd0be6665092bd43139b1da2c4ef0852b324943fd1d973bd1e
                              • Instruction Fuzzy Hash: 32E0DF31E101149BDF01ABE99C618FE7B2DEB80314B080823E911C7240EB70A931CBD0
                              Function 0029C2AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Unsupported Windows version$p&2
                              • API String ID: 1795875747-1570868323
                              • Opcode ID: db46851c955c985c1b07a5a10fb31e54d0d06fcd799d2ff12847ea4d7543668c
                              • Instruction ID: 90762f013bc7a659deb7d62dc2124f5abf89f6c4e8442c4341dee4d413c34008
                              • Opcode Fuzzy Hash: db46851c955c985c1b07a5a10fb31e54d0d06fcd799d2ff12847ea4d7543668c
                              • Instruction Fuzzy Hash: B0D0A933328200EFEB0A8B88F846BE433B0E388B20F20042BE102D6090DBB560118A04
                              Function 002C41C0 Relevance: 5.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • memcmp.MSVCRT(?,003148A0,00000010), ref: 002C41D6
                              • memcmp.MSVCRT(?,00310168,00000010), ref: 002C41F1
                              • memcmp.MSVCRT(?,003101E8,00000010), ref: 002C4205
                              Memory Dump Source
                              • Source File: 00000009.00000002.1746619041.0000000000261000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00260000, based on PE: true
                              • Associated: 00000009.00000002.1746598486.0000000000260000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746699114.000000000030C000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746730503.0000000000322000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 00000009.00000002.1746754855.000000000032B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_9_2_260000_7zr.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: b988b6e411032b8532684f217425c28975e9e5696725309cb03400a51b9f4ab3
                              • Instruction ID: da27b856999ea0623564ba53f34ed4511952bc21b11b2e946f94bed419a0b5a4
                              • Opcode Fuzzy Hash: b988b6e411032b8532684f217425c28975e9e5696725309cb03400a51b9f4ab3
                              • Instruction Fuzzy Hash: 9E01043236020967D7149E10CC83FBE77A89F68750F04453DFE8ADB282F2F4A9A08741